Shodan
Vulnerabilities
Vulnerable Software
Apache:  >> Struts  >> 2.0.0  Security Vulnerabilities
CVE-2015-2992
Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.
CVSS Score
6.1
EPSS Score
0.014
Published
2020-02-27
CVE-2012-1592
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.
CVSS Score
8.8
EPSS Score
0.008
Published
2019-12-05
CVE-2011-3923
Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.
CVSS Score
9.8
EPSS Score
0.895
Published
2019-11-01
CVE-2016-4461
Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.
CVSS Score
8.8
EPSS Score
0.011
Published
2017-10-16
CVE-2015-5169
Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20.
CVSS Score
6.1
EPSS Score
0.011
Published
2017-09-25
CVE-2015-5209
Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.
CVSS Score
7.5
EPSS Score
0.03
Published
2017-08-29
CVE-2016-4436
Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up.
CVSS Score
9.8
EPSS Score
0.081
Published
2016-10-03
CVE-2016-3093
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.
CVSS Score
5.3
EPSS Score
0.047
Published
2016-06-07
CVE-2016-3082
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.
CVSS Score
9.8
EPSS Score
0.332
Published
2016-04-26
CVE-2016-3081
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
CVSS Score
8.1
EPSS Score
0.94
Published
2016-04-26


Products
Pricing
Contact Us

Shodan ® - All rights reserved