Vulnerabilities > Apache > Struts > 2.3.5
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2014-04-29 | CVE-2014-0112 | Permissions, Privileges, and Access Controls vulnerability in Apache Struts ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. | 7.5 |
2014-03-11 | CVE-2014-0094 | Classloader Manipulation Security Bypass vulnerability in RETIRED: Apache Struts The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. | 5.0 |
2013-07-16 | CVE-2013-2135 | Code Injection vulnerability in Apache Struts Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice. | 9.3 |
2013-07-16 | CVE-2013-2134 | Code Injection vulnerability in Apache Struts Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135. | 9.3 |
2013-07-10 | CVE-2013-2115 | Code Injection vulnerability in Apache Struts Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. | 9.3 |
2013-07-10 | CVE-2013-1966 | Code Injection vulnerability in Apache Struts Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. | 9.3 |
2013-07-10 | CVE-2013-1965 | Code Injection vulnerability in Apache Struts and Struts2-Showcase Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect. | 9.3 |