Vulnerabilities > Apache > Struts > 2.3.20.1

DATE CVE VULNERABILITY TITLE RISK
2016-10-03 CVE-2016-4436 Security Bypass vulnerability in Apache Struts
Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up.
network
low complexity
apache
7.5
7.5
2016-07-04 CVE-2016-4465 Improper Input Validation vulnerability in Apache Struts
The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
network
low complexity
apache CWE-20
5.0
5.0
2016-07-04 CVE-2016-4438 Improper Input Validation vulnerability in Apache Struts
The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression.
network
low complexity
apache CWE-20
7.5
7.5
2016-07-04 CVE-2016-4433 Improper Input Validation vulnerability in Apache Struts
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.
network
low complexity
apache CWE-20
5.0
5.0
2016-07-04 CVE-2016-4431 Improper Input Validation vulnerability in Apache Struts
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method.
network
low complexity
apache CWE-20
5.0
5.0
2016-07-04 CVE-2016-4430 Cross-Site Request Forgery (CSRF) vulnerability in Apache Struts
Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.
network
apache CWE-352
6.8
6.8
2016-06-07 CVE-2016-3093 Improper Input Validation vulnerability in multiple products
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.
network
low complexity
ognl-project apache CWE-20
5.3
5.3
2016-06-07 CVE-2016-3087 Improper Input Validation vulnerability in Apache Struts
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.
network
low complexity
apache CWE-20
7.5
7.5
2016-04-26 CVE-2016-3082 Improper Input Validation vulnerability in Apache Struts
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.
network
low complexity
apache CWE-20
critical
 10.0
10
2016-04-26 CVE-2016-3081 Command Injection vulnerability in multiple products
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
network
apache oracle CWE-77
critical
 9.3
9.3