CVE Daily
← All tags

Tag: Apache Struts

All CVEs associated with "Apache Struts". Page 1/1 • 85 CVEs.

About “Apache Struts”

A curated feed of “Apache Struts”-related CVEs appears below. We currently track 85 CVEs for this tag (all time). In the last 365 days, 4 were published. Average CVSS is 7.2 (all time; 7.6 over 365d), and 55% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-459 - Incomplete Cleanup, CWE-611 - Improper Restriction of XML External Entity Reference, CWE-117 - Improper Output Neutralization for Logs.

In our taxonomy this topic maps to a LOW impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: apache-struts

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestEOLLTS
77.1.1-
66.10.0-
2.52.5.33 Expired
2.32.3.37 Expired
2.22.2.3.1- Expired
2.12.1.8.1- Expired
2.02.0.14- Expired
1.31.3.10 Expired
1.21.2.9- Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Apache Struts”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-01-11
High

CVE-2025-68493

Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to up…

CVSS: 8.1 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2025-12-10
High

CVE-2025-66675

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0…

CVSS: 8.2 CWE: CWE-459 - Incomplete Cleanup View on NVD
2025-12-01
High

CVE-2025-64775

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0…

CVSS: 7.5 CWE: CWE-459 - Incomplete Cleanup View on NVD
2025-07-30
Medium

CVE-2025-54656

** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts. This issue affects Apache Struts Extras: before 2. When using LookupDispatchAction, in some c…

CVSS: 6.5 CWE: CWE-117 - Improper Output Neutralization for Logs View on NVD
2024-12-11
Critical

CVE-2024-53677

File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which ca…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2023-11-27
Medium

CVE-2023-6308

A vulnerability, which was classified as critical, has been found in Xiamen Four-Faith Video Surveillance Management System 2016/2017. Affected by this issue is some unknown functionality of the comp…

CVSS: 6.3 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2023-06-14
Medium

CVE-2023-34396

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.…

CVSS: 4.3 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
Medium

CVE-2023-34149

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.…

CVSS: 4.3 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2022-04-12
Critical

CVE-2021-31805

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evalua…

CVSS: 9.8 CWE: CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') View on NVD
2020-12-11
Critical

CVE-2020-17530

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

CVSS: 9.8 CWE: CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') View on NVD
2020-09-14
High

CVE-2019-0233

An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.

CVSS: 7.5 CWE: CWE-281 - Improper Preservation of Permissions View on NVD
Critical

CVE-2019-0230

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

CVSS: 9.8 CWE: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') View on NVD
2020-02-27
Medium

CVE-2015-2992

Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2019-11-01
Critical

CVE-2011-3923

Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.

CVSS: 9.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2018-08-22
High

CVE-2018-11776

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then:…

CVSS: 8.1 CWE: N/A View on NVD
2018-03-27
High

CVE-2018-1327

The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Stru…

CVSS: 7.5 CWE: N/A View on NVD
2017-12-01
Medium

CVE-2017-15707

In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.

CVSS: 6.2 CWE: CWE-20 - Improper Input Validation View on NVD
2017-10-30
High

CVE-2016-3090

The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling.

CVSS: 8.8 CWE: CWE-20 - Improper Input Validation View on NVD
2017-10-16
High

CVE-2016-4461

Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because…

CVSS: 8.8 CWE: CWE-20 - Improper Input Validation View on NVD
2017-09-25
Medium

CVE-2015-5169

Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2017-09-20
High

CVE-2017-9804

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2017-9793

The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request wit…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
Critical

CVE-2017-12611

In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2016-8738

In Apache Struts 2.5 through 2.5.5, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to overlo…

CVSS: 5.9 CWE: CWE-20 - Improper Input Validation View on NVD
Critical

CVE-2016-6795

In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on…

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2017-09-15
High

CVE-2017-9805

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can…

CVSS: 8.1 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2017-08-29
High

CVE-2015-5209

Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2017-07-13
High

CVE-2017-9787

When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2017-7672

If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validati…

CVSS: 5.9 CWE: CWE-20 - Improper Input Validation View on NVD
2017-07-10
Critical

CVE-2017-9791

The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
2017-03-11
Critical

CVE-2017-5638

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows r…

CVSS: 9.8 CWE: CWE-755 - Improper Handling of Exceptional Conditions View on NVD
2016-10-03
Critical

CVE-2016-4436

Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up.

CVSS: 9.8 CWE: N/A View on NVD
2016-07-04
Medium

CVE-2016-4465

The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.

CVSS: 5.3 CWE: CWE-20 - Improper Input Validation View on NVD
Critical

CVE-2016-4438

The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression.

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2016-4433

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2016-4431

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method.

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2016-4430

Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
High

CVE-2016-1182

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a…

CVSS: 8.2 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2016-1181

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of servic…

CVSS: 8.1 CWE: N/A View on NVD
High

CVE-2015-0899

The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2016-06-07
Medium

CVE-2016-3093

Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web sit…

CVSS: 5.3 CWE: CWE-20 - Improper Input Validation View on NVD
Critical

CVE-2016-3087

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (ex…

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
2016-04-26
Critical

CVE-2016-3082

XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2016-3081

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to…

CVSS: 8.1 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2016-04-12
Medium

CVE-2016-4003

Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to i…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2016-2162

Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspec…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2016-0785

Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.

CVSS: 8.8 CWE: CWE-20 - Improper Input Validation View on NVD
2015-07-16
High

CVE-2015-1831

The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors.

CVSS: 7.5 CWE: N/A View on NVD
2014-12-10
Medium

CVE-2014-7809

Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.

CVSS: 6.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2014-05-08
Medium

CVE-2014-0116

CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate…

CVSS: 5.8 CWE: CWE-264 View on NVD
2014-04-30
High

CVE-2014-0114

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2014-04-29
High

CVE-2014-0113

CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" th…

CVSS: 7.5 CWE: CWE-264 View on NVD
High

CVE-2014-0112

ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code…

CVSS: 7.5 CWE: CWE-264 View on NVD
2014-03-11
Medium

CVE-2014-0094

The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.

CVSS: 5.0 CWE: N/A View on NVD
2013-11-02
Medium

CVE-2013-6348

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2013-09-30
Critical

CVE-2013-4316

Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.

CVSS: 10.0 CWE: CWE-16 View on NVD
Medium

CVE-2013-4310

Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix.

CVSS: 5.8 CWE: CWE-264 View on NVD
2013-07-20
Critical

CVE-2013-2251

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

CVSS: 9.8 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
Medium

CVE-2013-2248

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter usin…

CVSS: 5.8 CWE: CWE-20 - Improper Input Validation View on NVD
2013-07-16
Critical

CVE-2013-2135

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to b…

CVSS: 9.3 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Critical

CVE-2013-2134

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vuln…

CVSS: 9.3 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2013-07-10
High

CVE-2013-2115

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2)…

CVSS: 8.1 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Critical

CVE-2013-1966

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2)…

CVSS: 9.3 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Critical

CVE-2013-1965

Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled…

CVSS: 9.3 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2012-09-05
Medium

CVE-2012-4387

Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.

CVSS: 5.0 CWE: CWE-264 View on NVD
Medium

CVE-2012-4386

The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (…

CVSS: 6.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2012-03-02
Critical

CVE-2012-0838

Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execu…

CVSS: 10.0 CWE: CWE-20 - Improper Input Validation View on NVD
2012-02-07
Medium

CVE-2012-1007

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-s…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2012-1006

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to strut…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2012-01-08
Medium

CVE-2011-5057

Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attacke…

CVSS: 5.0 CWE: CWE-264 View on NVD
Medium

CVE-2012-0394

The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor chara…

CVSS: 6.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2012-0393

The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted p…

CVSS: 6.4 CWE: CWE-264 View on NVD
Medium

CVE-2012-0392

The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header…

CVSS: 6.8 CWE: N/A View on NVD
Critical

CVE-2012-0391

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allow…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2011-05-13
Medium

CVE-2011-2088

XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors inv…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2011-2087

Multiple cross-site scripting (XSS) vulnerabilities in component handlers in the javatemplates (aka Java Templates) plugin in Apache Struts 2.x before 2.2.3 allow remote attackers to inject arbitrary…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Low

CVE-2011-1772

Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script o…

CVSS: 2.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2009-04-09
Medium

CVE-2009-1275

Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cro…

CVSS: 6.8 CWE: N/A View on NVD
Medium

CVE-2008-6682

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2008-2025

Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0,…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2007-6726

Multiple cross-site scripting (XSS) vulnerabilities in Dojo 0.4.1 and 0.4.2, as used in Apache Struts and other products, allow remote attackers to inject arbitrary web script or HTML via unspecified…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2009-03-23
Medium

CVE-2008-6505

Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 allow remote attackers to read arbitrary files via a ..%252f (encoded dot dot slash) in a URI…

CVSS: 5.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2008-6504

ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context obj…

CVSS: 5.0 CWE: CWE-20 - Improper Input Validation View on NVD
2007-08-28
Medium

CVE-2007-4556

Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression…

CVSS: 6.8 CWE: N/A View on NVD
2005-11-22
Medium

CVE-2005-3745

Cross-site scripting (XSS) vulnerability in Apache Struts 1.2.7, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the query string, which is not properly…

CVSS: 4.3 CWE: N/A View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox