Apache Struts vulnerabilities
90 known vulnerabilities affecting apache/struts.
Total CVEs
90
CISA KEV
8
actively exploited
Public exploits
35
Exploited in wild
10
Severity breakdown
CRITICAL22HIGH32MEDIUM35LOW1
Vulnerabilities
Page 5 of 5
CVE-2010-1870MEDIUMCVSS 5.0PoCv2.0.0v2.0.1+24 more2010-08-17
CVE-2010-1870 [MEDIUM] CVE-2010-1870: The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as use
The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAc
nvd
CVE-2008-6682MEDIUMCVSS 4.3v2.0.6v2.0.8+3 more2009-04-09
CVE-2008-6682 [MEDIUM] CWE-79 CVE-2008-6682: Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) " (double quote) characters in the href attribute of an s:a tag and (2) parameters in the action attribute of an s:url tag.
nvd
CVE-2008-2025MEDIUMCVSS 4.3v1.0.2v1.1+3 more2009-04-09
CVE-2008-2025 [MEDIUM] CWE-79 CVE-2008-2025: Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterp
Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "insuffi
nvd
CVE-2007-6726MEDIUMCVSS 4.3v2.0.92009-04-09
CVE-2007-6726 [MEDIUM] CWE-79 CVE-2007-6726: Multiple cross-site scripting (XSS) vulnerabilities in Dojo 0.4.1 and 0.4.2, as used in Apache Strut
Multiple cross-site scripting (XSS) vulnerabilities in Dojo 0.4.1 and 0.4.2, as used in Apache Struts and other products, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving (1) xip_client.html and (2) xip_server.html in src/io/.
nvd
CVE-2008-6504MEDIUMCVSS 5.0PoCv2.0.0v2.0.2+10 more2009-03-23
CVE-2008-6504 [MEDIUM] CWE-20 CVE-2008-6504: ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Ap
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated b
nvd
CVE-2008-6505MEDIUMCVSS 5.0PoCv2.0.6v2.0.8+5 more2009-03-23
CVE-2008-6505 [MEDIUM] CWE-22 CVE-2008-6505: Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2
Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 allow remote attackers to read arbitrary files via a ..%252f (encoded dot dot slash) in a URI with a /struts/ path, related to (1) FilterDispatcher in 2.0.x and (2) DefaultStaticContentLoader in 2.1.x.
nvd
CVE-2006-1547HIGHCVSS 7.5KEVfixed in 1.2.92006-03-30
CVE-2006-1547 [HIGH] CWE-749 CVE-2006-1547: ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote
ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation
nvd
CVE-2006-1546HIGHCVSS 7.5≤ 1.2.82006-03-30
CVE-2006-1546 [HIGH] CVE-2006-1546: Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation vi
Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check.
nvd
CVE-2006-1548MEDIUMCVSS 4.3≤ 1.2.82006-03-30
CVE-2006-1548 [MEDIUM] CVE-2006-1548: Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction
Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message.
nvd
CVE-2005-3745MEDIUMCVSS 4.3PoCv1.2.72005-11-22
CVE-2005-3745 [MEDIUM] CVE-2005-3745: Cross-site scripting (XSS) vulnerability in Apache Struts 1.2.7, and possibly other versions allows
Cross-site scripting (XSS) vulnerability in Apache Struts 1.2.7, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the query string, which is not properly quoted or filtered when the request handler generates an error message.
nvd
← Previous5 / 5