CVE-2016-1182
published 2016-07-04CVE-2016-1182: ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct…
PriorityP347high8.2CVSS 3.0
AVNACLPRNUINSUCNILAH
EPSS
25.93%
97.7th percentile
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
CVSS provenance
nvdv3.08.2HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
ghsa7.5HIGH
osv7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper Input Validation in Apache Struts
osv·2022-05-13·CVSS 7.5
CVE-2016-1182 [HIGH] Improper Input Validation in Apache Struts
Improper Input Validation in Apache Struts
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.
GHSA
Improper Input Validation in Apache Struts
ghsa·2022-05-13·CVSS 7.5
CVE-2016-1182 [HIGH] CWE-20 Improper Input Validation in Apache Struts
Improper Input Validation in Apache Struts
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.
Red Hat
struts: Improper input validation in Validator
vendor_redhat·2016-06-07·CVSS 7.5
CVE-2016-1182 [HIGH] CWE-20 struts: Improper input validation in Validator
struts: Improper input validation in Validator
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.
Statement: This issue affects the version of struts shipped with Red Hat Enterprise Linux 5, which is currently in Extended Life Phase. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification https://access.redhat.com/security/updates/classification/ and the Red Hat Enterprise Linux Life Cycle https://access.redhat.com/support/policy/updates/errata/.
Package: struts (Red Hat Enterprise Linu
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-1182 struts: Improper input validation in Validator
bugzilla·2016-06-07·CVSS 7.5
CVE-2016-1182 [HIGH] CVE-2016-1182 struts: Improper input validation in Validator
CVE-2016-1182 struts: Improper input validation in Validator
It was reported that The Apache Struts 1 Validator contains a vulnerability where input validation configurations (validation rules, error messages, etc.) may be modified. This occurs when ValidatorForm and ValidatorActionForm (including its subclasses) are in the session scope.
Affects Apache Struts 1 versions 1.0 through 1.3.10.
External References:
https://jvn.jp/en/jp/JVN65044642/
Discussion:
Created struts tracking bugs for this issue:
Affects: fedora-all [bug 1343541]
Affects: epel-7 [bug 1343542]
---
Seem a duplicate of CVE-2015-0899. Already fixed
---
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0899
---
struts-1.3.10-18.fc23 has been pushed to the Fedora 23 stable repository. If problems still persis
Bugzilla
CVE-2016-1181 CVE-2016-1182 struts: various flaws [epel-7]
bugzilla·2016-06-07·CVSS 7.5
CVE-2016-1181 [HIGH] CVE-2016-1181 CVE-2016-1182 struts: various flaws [epel-7]
CVE-2016-1181 CVE-2016-1182 struts: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking-bugs]
Discussion:
Use th
Bugzilla
CVE-2016-1181 CVE-2016-1182 struts: various flaws [fedora-all]
bugzilla·2016-06-07·CVSS 7.5
CVE-2016-1181 [HIGH] CVE-2016-1181 CVE-2016-1182 struts: various flaws [fedora-all]
CVE-2016-1181 CVE-2016-1182 struts: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While o
Fortinet
Shadow AI: The Invisible Risk Growing Inside Your Organization | Fortinet Blog
blogs_fortinet·2026-04-10
Shadow AI: The Invisible Risk Growing Inside Your Organization | Fortinet Blog
SECURE NETWORKING
Shadow AI: The Invisible Risk Growing Inside Your Organization
How unmanaged AI usage creates security, data, and compliance risk
By Fortinet | April 10, 2026
AI adoption is accelerating throughout the enterprise, and it is increasingly being used outside formal controls and approved workflows. Employees utilize publicly available generative AI (GenAI) tools to write code, summarize documents, analyze data, and automate routine tasks, often through browsers or personal accounts.
This shift introduces what is now called shadow AI. It’s not a specific collection of tools but an environment in which AI is employed without oversight, governance, or visibility. It is rapidly becoming one of the most immediate and least understood risks in the enterprise.
This is one of t
Fortinet
The Analysis of Apache Struts 1 Form Field Input Validation Bypass (CVE-2015-0899)
blogs_fortinet·2017-10-25·CVSS 7.5
CVE-2015-0899 [HIGH] The Analysis of Apache Struts 1 Form Field Input Validation Bypass (CVE-2015-0899)
FORTIGUARD LABS THREAT RESEARCH
The Analysis of Apache Struts 1 Form Field Input Validation Bypass (CVE-2015-0899)
By Dehui Yin | October 25, 2017
Apache Struts 1 is a popularly used JAVA EE web application framework. It offers many kinds of validators to filter user input by using the Apache Common Validator library, which is both convenient and fast. However, a bug in Apache Struts can be used to easily bypass the input validation process, allowing an attacker to submit arbitrary dirty data to the database, possibly resulting in a cross-site scripting attack when the user views the JSP file that refers directly to the corrupted data.
This potential Input Validation Bypass vulnerability is caused by an error in both ValidatorForm.java and DynaValidatorForm.java when initializing the va
Fortinet
The Analysis of Apache Struts 1 ActionServlet Validator Bypass (CVE-2016-1182)
blogs_fortinet·2017-10-25·CVSS 8.2
CVE-2016-1182 [HIGH] The Analysis of Apache Struts 1 ActionServlet Validator Bypass (CVE-2016-1182)
FORTIGUARD LABS THREAT RESEARCH
The Analysis of Apache Struts 1 ActionServlet Validator Bypass (CVE-2016-1182)
By Dehui Yin | October 25, 2017
Apache Struts 1 ValidatorForm is a commonly used component in the JAVA EE Web Application that requires validated form fields input by a user, such as a login form, registration form, or other information form. By configuring the validation rules, Apache Struts can validate many different kinds of fields - username, email, credit card number, etc. However, a bug in Apache Struts 1 can be used to manipulate the property of ValidatorForm so as to modify the validation rules, or even worse, cause a denial of service or execute arbitrary code in the context of the Web Application.
This potential Input Validation Bypass or Denial Of Service vulnerabil
Fortinet
The Apache Struts 2 Vulnerability
blogs_fortinet·2017-09-18
The Apache Struts 2 Vulnerability
FORTIGUARD LABS THREAT RESEARCH
The Apache Struts 2 Vulnerability
By Aamir Lakhani | September 18, 2017
Recently one of the largest credit management organizations in the US was compromised, with around 143 million accounts stolen. As has been reported, these accounts included personally identifiable information (PII) such as names, addresses, social security numbers, credit histories, and even credit card information.
It now appears that this crime was enabled through an exploit that targeted a Java vulnerability in Apache Struts 2, which is an open-source web application framework for developing Java web applications that extends the Java Servlet API to assist, encourage, and promote developers to adopt a model–view–controller (MVC) architecture.
This vulnerability is the result of u
Fortinet
A wrap up of HITCON 2017
blogs_fortinet·2017-09-05
A wrap up of HITCON 2017
FORTIGUARD LABS THREAT RESEARCH
A wrap up of HITCON 2017
By Wayne Chin Yick Low and Yongjian Yang | September 05, 2017
The 13th annual Hacks In Taiwan Conference (HITCON) took place August 25th and 26th at Academia Sinica, Taiwan’s national academy located in Taipei. Elite cyber security researchers from across the world gather at this annual conference to share their research and exchange ideas about the global threat landscape. Approximately 1000 people registered for the conference and, according to one of the HITCON crewmembers we met, one third of the attendees were undergraduates and fresh graduates. This is a good sign, given the current cyberskills gap, and indicates the enthusiasm that Taiwanese college students have to participate in the cyber security industry.
We were honore
Fortinet
FortiGuard Labs Telemetry: Round up of 2015 and 2016 IoT Threats (Part 2 Home Routers)
blogs_fortinet·2017-03-13
FortiGuard Labs Telemetry: Round up of 2015 and 2016 IoT Threats (Part 2 Home Routers)
FORTIGUARD LABS THREAT RESEARCH
FortiGuard Labs Telemetry: Round up of 2015 and 2016 IoT Threats (Part 2 Home Routers)
By Gavin Chow | March 13, 2017
In our last post Round up of 2016 IoT Threats we compared 2015 and 2016 global threat telemetry for IoT devices collected by our FortiGuard Labs.
In this post, we will examine why home routers had a such a huge increase in IPS signature hits in 2016, when compared to 2015.
Home Routers
In 2015, home routers had the most IPS signature hits at around 821,000. But this number exploded exponentially in 2016, to more than 25 billion hits. We can see the exponential increase more clearly when we compare both years using a size comparison chart as shown below (note that 2015 is just a tiny dot compared to 2016’s much bigger circle).
What contr
Fortinet
Apache Commons Collections Under Attack
blogs_fortinet·2016-02-04·CVSS 9.8
CVE-2015-4852 [CRITICAL] Apache Commons Collections Under Attack
FORTIGUARD LABS THREAT RESEARCH
Apache Commons Collections Under Attack
By Dehui Yin | February 04, 2016
Two months ago, a Java zero day vulnerability (CVE-2015-4852) that targeted Apache commons collections library was disclosed. This vulnerability is caused by an error when Java applications, which use Apache commons collections library, deserialize objects from untrusted network sources. Let’s take a look:
Our Fortinet IPS team immediately created a signature, "Apache.Commons.Collection.InvokerTransformer.Code.Execution", in order to protect our customers, and continues to monitor. Over the last 2 months, since creating the initial signature, we have seen it triggered on average, 400 times a day from 50 different FortiGates. This rate of alert is not very high, however, these alerts
http://jvn.jp/en/jp/JVN65044642/index.htmlhttp://jvndb.jvn.jp/jvndb/JVNDB-2016-000097http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.securityfocus.com/bid/91067http://www.securityfocus.com/bid/91787http://www.securitytracker.com/id/1036056https://bugzilla.redhat.com/show_bug.cgi?id=1343540https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8https://security-tracker.debian.org/tracker/CVE-2016-1182https://security.netapp.com/advisory/ntap-20180629-0006/https://www.oracle.com/security-alerts/cpujan2020.htmlhttps://www.oracle.com/security-alerts/cpujul2020.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttp://jvn.jp/en/jp/JVN65044642/index.htmlhttp://jvndb.jvn.jp/jvndb/JVNDB-2016-000097http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.securityfocus.com/bid/91067http://www.securityfocus.com/bid/91787http://www.securitytracker.com/id/1036056https://bugzilla.redhat.com/show_bug.cgi?id=1343540https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8https://security-tracker.debian.org/tracker/CVE-2016-1182https://security.netapp.com/advisory/ntap-20180629-0006/https://www.oracle.com/security-alerts/cpujan2020.htmlhttps://www.oracle.com/security-alerts/cpujul2020.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
2016-07-04
Published