Vulnerabilities > Apache > Struts > 2.3.15.3
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2014-05-08 | CVE-2014-0116 | Permissions, Privileges, and Access Controls vulnerability in Apache Struts CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. | 5.8 |
2014-04-29 | CVE-2014-0113 | Permissions, Privileges, and Access Controls vulnerability in Apache Struts CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. | 7.5 |
2014-04-29 | CVE-2014-0112 | Permissions, Privileges, and Access Controls vulnerability in Apache Struts ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. | 7.5 |
2014-03-11 | CVE-2014-0094 | Classloader Manipulation Security Bypass vulnerability in RETIRED: Apache Struts The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. | 5.0 |
2013-11-02 | CVE-2013-6348 | Cross-Site Scripting vulnerability in Apache Struts 2.3.15.3 Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (2) showConfig.action in config-browser/. | 4.3 |