Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2012-1592

CWE-434 — Unrestricted File Upload8 documents6 sources

Severity

8.8HIGH

EPSS

0.6%

top 30.87%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Libstruts1.2-java Libstruts1.2-java Apache Struts

Timeline

PublishedDec 5

Latest updateApr 23

Description

A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.apache.struts:struts2-core2.0 — 2.5.22

▶NVDapache/struts2.0.0

▶CVEListV5libstruts1.2-java/libstruts1.2-java1.2-

🔴Vulnerability Details

OSV

Unrestricted Upload of File with Dangerous Type in Apache Struts2↗2022-04-23

▶

GHSA

Unrestricted Upload of File with Dangerous Type in Apache Struts2↗2022-04-23

▶

CVEList

CVE-2012-1592: A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitr↗2019-12-05

▶

💥Exploits & PoCs

Exploit-DB

SAP NetWeaver Message Server - Multiple Vulnerabilities↗2013-02-17

▶

Exploit-DB

Apache Struts 2.0 - 'XSLTResult.java' Arbitrary File Upload↗2012-03-23

▶

💬Community

Bugzilla

CVE-2012-4549 JBoss AS: EJB authorization succeeds for any role when allowed roles list is empty↗2012-10-29

▶

Bugzilla

CVE-2012-1592 struts2: xsltResult local code execution flaw↗2012-03-27

▶