Shodan
Vulnerabilities
Vulnerable Software
Apache:  >> Struts  >> 2.3.24.3  Security Vulnerabilities
CVE-2017-5638
Known exploited
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
CVSS Score
9.8
EPSS Score
0.943
Published
2017-03-11
CVE-2016-4436
Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up.
CVSS Score
9.8
EPSS Score
0.065
Published
2016-10-03
CVE-2016-4465
The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
CVSS Score
5.3
EPSS Score
0.103
Published
2016-07-04
CVE-2016-4438
The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression.
CVSS Score
9.8
EPSS Score
0.535
Published
2016-07-04
CVE-2016-4433
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.
CVSS Score
7.5
EPSS Score
0.106
Published
2016-07-04
CVE-2016-4431
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method.
CVSS Score
7.5
EPSS Score
0.221
Published
2016-07-04
CVE-2016-4430
Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.
CVSS Score
8.8
EPSS Score
0.032
Published
2016-07-04
CVE-2009-1275
Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) tiles:putAttribute and (2) tiles:insertTemplate JSP tags.
CVSS Score
6.8
EPSS Score
0.012
Published
2009-04-09


Products
Pricing
Contact Us

Shodan ® - All rights reserved