Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
CVSS Score
9.8
EPSS Score
0.937
Published
2020-09-14
An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.
CVSS Score
7.5
EPSS Score
0.093
Published
2020-09-14
Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.
CVSS Score
6.1
EPSS Score
0.011
Published
2020-02-27
Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.
CVSS Score
9.8
EPSS Score
0.897
Published
2019-11-01
The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling.
CVSS Score
8.8
EPSS Score
0.029
Published
2017-10-30
Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.
CVSS Score
8.8
EPSS Score
0.026
Published
2017-10-16
Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20.
CVSS Score
6.1
EPSS Score
0.011
Published
2017-09-25
In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
CVSS Score
9.8
EPSS Score
0.942
Published
2017-09-20
Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.
CVSS Score
7.5
EPSS Score
0.036
Published
2017-08-29
Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up.
CVSS Score
9.8
EPSS Score
0.061
Published
2016-10-03