Vulnerabilities > Apache > Struts > 2.3.16.2
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-07-10 | CVE-2017-9791 | Improper Input Validation vulnerability in Apache Struts The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage. | 7.5 |
| 2017-03-11 | CVE-2017-5638 | Improper Input Validation vulnerability in Apache Struts The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. | 10.0 |
| 2016-10-03 | CVE-2016-4436 | Security Bypass vulnerability in Apache Struts Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. | 7.5 |
| 2016-06-07 | CVE-2016-3093 | Improper Input Validation vulnerability in multiple products Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors. | 5.3 |
| 2016-04-26 | CVE-2016-3082 | Improper Input Validation vulnerability in Apache Struts XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. | 10.0 |
| 2016-04-26 | CVE-2016-3081 | Command Injection vulnerability in multiple products Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions. | 9.3 |
| 2016-04-12 | CVE-2016-4003 | Cross-site Scripting vulnerability in Apache Struts Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter. | 4.3 |
| 2016-04-12 | CVE-2016-2162 | Cross-site Scripting vulnerability in Apache Struts Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display. | 4.3 |
| 2016-04-12 | CVE-2016-0785 | Improper Input Validation vulnerability in Apache Struts Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. | 9.0 |
| 2014-12-10 | CVE-2014-7809 | Cross-Site Request Forgery (CSRF) vulnerability in Apache Struts Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism. | 6.8 |