XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
CVSS Score
6.8
EPSS Score
0.889
Published
2020-12-16
CVE-2020-17530
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
Known exploited
CVSS Score
9.8
EPSS Score
0.944
Published
2020-12-11
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
CVSS Score
9.8
EPSS Score
0.937
Published
2020-09-14
An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.
CVSS Score
7.5
EPSS Score
0.093
Published
2020-09-14
Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.
CVSS Score
6.1
EPSS Score
0.016
Published
2020-02-27
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.
CVSS Score
8.8
EPSS Score
0.008
Published
2019-12-05
Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.
CVSS Score
9.8
EPSS Score
0.911
Published
2019-11-01
Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.
CVSS Score
8.8
EPSS Score
0.026
Published
2017-10-16
Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20.
CVSS Score
6.1
EPSS Score
0.011
Published
2017-09-25
Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.
CVSS Score
7.5
EPSS Score
0.036
Published
2017-08-29