Vulnerabilities > Apache > Struts > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-06-14 CVE-2023-34149 Unspecified vulnerability in Apache Struts
Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.
network
low complexity
apache
6.5
2020-02-27 CVE-2015-2992 Cross-site Scripting vulnerability in Apache Struts
Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.
network
low complexity
apache CWE-79
6.1
2017-12-01 CVE-2017-15707 Improper Input Validation vulnerability in multiple products
In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.
local
low complexity
apache netapp oracle CWE-20
6.2
2017-09-25 CVE-2015-5169 Cross-site Scripting vulnerability in Apache Struts
Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20.
network
low complexity
apache CWE-79
6.1
2017-09-20 CVE-2016-8738 Improper Input Validation vulnerability in Apache Struts
In Apache Struts 2.5 through 2.5.5, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.
network
high complexity
apache CWE-20
5.9
2017-07-13 CVE-2017-7672 Improper Input Validation vulnerability in Apache Struts
If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.
network
high complexity
apache CWE-20
5.9
2016-07-04 CVE-2016-4465 Improper Input Validation vulnerability in Apache Struts
The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
network
low complexity
apache CWE-20
5.3
2016-06-07 CVE-2016-3093 Improper Input Validation vulnerability in multiple products
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.
network
low complexity
ognl-project apache CWE-20
5.3
2016-04-12 CVE-2016-4003 Cross-site Scripting vulnerability in Apache Struts
Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.
network
low complexity
apache CWE-79
6.1
2016-04-12 CVE-2016-2162 Cross-site Scripting vulnerability in Apache Struts
Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.
network
low complexity
apache CWE-79
6.1