struts:struts@1.2.9 vulnerabilities

struts:struts is a part of the Struts framework.

Affected versions of this package are vulnerable to Arbitrary Code Execution where the class property is not suppressed. It allows remote attackers to "manipulate" the ClassLoader and to execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Note: Struts1 has been deprecated. Users should use Struts2 which is not vulnerable to this issue.

There is no fixed version for struts:struts.

struts:struts ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.

struts:struts ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.

struts:struts The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.