Vulnerabilities > Apache > Struts > 2.3.28

DATE CVE VULNERABILITY TITLE RISK
2016-07-04 CVE-2016-4465 Improper Input Validation vulnerability in Apache Struts
The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
network
low complexity
apache CWE-20
5.0
5.0
2016-07-04 CVE-2016-4438 Improper Input Validation vulnerability in Apache Struts
The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression.
network
low complexity
apache CWE-20
7.5
7.5
2016-07-04 CVE-2016-4433 Improper Input Validation vulnerability in Apache Struts
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.
network
low complexity
apache CWE-20
5.0
5.0
2016-07-04 CVE-2016-4431 Improper Input Validation vulnerability in Apache Struts
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method.
network
low complexity
apache CWE-20
5.0
5.0
2016-07-04 CVE-2016-4430 Cross-Site Request Forgery (CSRF) vulnerability in Apache Struts
Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.
network
apache CWE-352
6.8
6.8
2016-06-07 CVE-2016-3087 Improper Input Validation vulnerability in Apache Struts
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.
network
low complexity
apache CWE-20
7.5
7.5
2016-04-26 CVE-2016-3082 Improper Input Validation vulnerability in Apache Struts
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.
network
low complexity
apache CWE-20
critical
 10.0
10
2016-04-26 CVE-2016-3081 Command Injection vulnerability in multiple products
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
network
apache oracle CWE-77
critical
 9.3
9.3