struts:struts
Maven10 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting struts:strutspage 1 of 1
- CVE-2006-1546NONECVSS 0.0EG 0.0✓ Fixed in 1.2.92006-03-30
vulnerable: 1.0.2 ... 1.2.8 (11 versions)
Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be dete…
- CVE-2006-1547HIGHCVSS 7.5EG 9.0⚠ KEV✓ Fixed in 1.2.92006-03-30
vulnerable: 1.0.2 ... 1.2.8 (11 versions)
ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipart…
- CVE-2006-1548NONECVSS 0.0EG 0.0✓ Fixed in 1.2.92006-03-30
vulnerable: 1.0.2 ... 1.2.8 (11 versions)
Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or…
- CVE-2008-2025NONECVSS 0.0EG 0.0✓ Fixed in 1.2.9-162.31.12009-04-09
vulnerable: 1.0.2 ... 1.2.9 (12 versions)
Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openS…
- CVE-2012-1007NONECVSS 0.0EG 0.02012-02-07
vulnerable: 1.0.2 ... 1.2.9 (12 versions)
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2…
- CVE-2015-0899HIGHCVSS 7.5EG 7.52016-07-04
vulnerable: 1.1 ... 1.2.9 (6 versions)
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.
- CVE-2016-1181HIGHCVSS 8.1EG 8.12016-07-04
vulnerable: 1.0.2 ... 1.2.9 (12 versions)
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multi…
- CVE-2016-1182HIGHCVSS 8.2EG 8.22016-07-04
vulnerable: 1.0.2 ... 1.2.9 (12 versions)
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a …
- CVE-2023-34396MEDIUMCVSS 4.3EG 4.32023-06-14
vulnerable: 1.0.2 ... 1.2.9 (12 versions)
Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater
- CVE-2023-49735HIGHCVSS 7.5EG 7.52023-11-30
vulnerable: 1.1 ... 1.2.9 (6 versions)
** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing…
Check whether struts:struts is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for struts:struts CVEs against the assets you own.
Start Free Scan →