Homepage
About Snyk

struts:struts@1.2.7 vulnerabilities

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the struts:struts package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Improper Input Validation

struts:struts is a part of the Struts framework.

Affected versions of this package are vulnerable to Improper Input Validation via a request with a org.apache.struts.taglib.html.Constants.CANCEL parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check.

How to fix Improper Input Validation?

Upgrade struts:struts to version 1.2.9 or higher.

[,1.2.9)
  • M
Cross-site Scripting (XSS)

struts:struts is a part of the Struts framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). LookupDispatchAction, DispatchAction and ActionDispatcher allow remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message.

How to fix Cross-site Scripting (XSS)?

Upgrade struts:struts to version 1.2.9 or higher.

[,1.2.9)
  • H
Denial of Service (DoS)

struts:struts is a part of the Struts framework.

Affected versions of this package are vulnerable to Denial of Service (DoS) via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.

How to fix Denial of Service (DoS)?

Upgrade struts:struts to version 1.2.9 or higher.

[,1.2.9)
  • H
Arbitrary Code Execution

struts:struts is a part of the Struts framework.

Affected versions of this package are vulnerable to Arbitrary Code Execution where the class property is not suppressed. It allows remote attackers to "manipulate" the ClassLoader and to execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Note: Struts1 has been deprecated. Users should use Struts2 which is not vulnerable to this issue.

How to fix Arbitrary Code Execution?

There is no fixed version for struts:struts.

[0,)
  • H
Denial of Service (DoS)

struts:struts ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.

[1.0.2,)
  • H
Improper Input Validation

struts:struts ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.

[1.0.2,)
  • H
Improper Input Validation

struts:struts The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.

[1,1.3.0)
Go back to all versions of this package