Software Detail

Software Informaton Top

Framework

Software Detail

Struts

Number Of NVD

CRITICAL

HIGH

MEDIUM

LOW

URL	https://struts.apache.org
Explanation	It is an MVC framework for web applications for Java developed by the Apache Software Foundation. It is open source and can be used free of charge. It has been found several times to have highly urgent vulnerabilities such as the ability to execute commands remotely, and incidents such as information leaks have occurred by exploiting these vulnerabilities. The development of Struts1 started in early 2000, and quite a number of companies have been using it. Struts1 is no longer supported.
Tag	Apache License v2.0 Java

Add Information URL

No	Type	Name	URL
1			https://struts.apache.org/struts1eol-announcement.html
2			https://struts.apache.org/download.cgi
3			https://struts.apache.org/releases.html
4			https://github.com/apache/struts1
5			https://github.com/apache/struts
6			https://cwiki.apache.org/confluence/display/WW/Security+Bulletins
7			https://struts.apache.org/struts23-eol-announcement

List Of Product [ Click to show release history and vulnerability information ]

No	Name	Latest Version	Release date	Initial release	Normal Support	Security Support Service Pack Support	Critical	High	Medium	Low
71	Struts 6	6.7.0	Nov. 17, 2024	June 6, 2022			1	1	1	0
72	Struts 2.5	2.5.33	April 4, 2022	May 5, 2016	Oct. 30, 2023	April 30, 2024	7	9	5	0
73	Struts 2.3	2.3.37	Dec. 30, 2018	Dec. 9, 2011	Nov. 14, 2018	April 14, 2019	14	26	19	0
74	Struts 2.2	2.2.3.1	Sept. 7, 2011	June 29, 2010	Dec. 18, 2011		10	21	20	1
75	Struts 2.1	2.1.8.1	Nov. 11, 2009	Oct. 29, 2007	Dec. 18, 2011		9	21	21	1
76	Struts 2.0	2.0.15	Nov. 17, 2008	Sept. 25, 2006	Dec. 18, 2011		9	20	23	1
77	Struts 1	1.3.10	Dec. 7, 2014	May 1, 2000	April 5, 2013		0	7	5	0

NVD Vulnerability Information

CRITICAL
HIGH
MEDIUM
LOW

No	CVSS3 CVSS2	Level Attach Vector	Title	CWE	CVE	cpe23Uri	or higher	less than	Update date Published date	Show Affected	Exploit PoC Search
71	- 6.8	MEDIUM	The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header…	NVD-CWE-noinfo	CVE-2012-0392	cpe:2.3:a:apache:struts::	2.0.0	2.3.1	2024-11-21 10:34 2012-01-9	Show	GitHub Exploit DB Packet Storm

72	- 5.0	MEDIUM	XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors inv…	CWE-200 Information Exposure	CVE-2011-2088	cpe:2.3:a:apache:struts:2.2.1:*			2024-11-21 10:27 2011-05-14	Show	GitHub Exploit DB Packet Storm

73	- 4.3	MEDIUM	Multiple cross-site scripting (XSS) vulnerabilities in component handlers in the javatemplates (aka Java Templates) plugin in Apache Struts 2.x before 2.2.3 allow remote attackers to inject arbitrary…	CWE-79 Cross-site Scripting	CVE-2011-2087	cpe:2.3:a:apache:struts:2.2.1:* cpe:2.3:a:apache:struts:2.2.1.1:* cpe:2.3:a:apache:struts:2.1.8:* cpe:2.3:a:ap…			2024-11-21 10:27 2011-05-14	Show	GitHub Exploit DB Packet Storm

74	- 2.6	LOW	Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script o…	CWE-79 Cross-site Scripting	CVE-2011-1772	cpe:2.3:a:apache:struts:2.2.1:* cpe:2.3:a:apache:struts:2.2.1.1:* cpe:2.3:a:apache:struts:2.1.8:* cpe:2.3:a:ap…			2024-11-21 10:27 2011-05-14	Show	GitHub Exploit DB Packet Storm

75	- 5.0	MEDIUM	The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which a…	NVD-CWE-Other	CVE-2010-1870	cpe:2.3:a:apache:struts:2.1.8:* cpe:2.3:a:apache:struts:2.1.8.1:* cpe:2.3:a:apache:struts:2.1.6:* cpe:2.3:a:ap…			2024-11-21 10:15 2010-08-18	Show	GitHub Exploit DB Packet Storm

76	- 4.3	MEDIUM	Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated …	CWE-79 Cross-site Scripting	CVE-2008-6682	cpe:2.3:a:apache:struts:2.1:* cpe:2.3:a:apache:struts:2.0.9:* cpe:2.3:a:apache:struts:2.0.8:* cpe:2.3:a:apache…			2026-04-23 09:35 2009-04-10	Show	GitHub Exploit DB Packet Storm

77	- 4.3	MEDIUM	Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, …	CWE-79 Cross-site Scripting	CVE-2008-2025	cpe:2.3:a:apache:struts:1.2.8:* cpe:2.3:a:apache:struts:1.2.7:* cpe:2.3:a:apache:struts:1.2.4:* cpe:2.3:a:apac…			2026-04-23 09:35 2009-04-10	Show	GitHub Exploit DB Packet Storm

78	- 4.3	MEDIUM	Multiple cross-site scripting (XSS) vulnerabilities in Dojo 0.4.1 and 0.4.2, as used in Apache Struts and other products, allow remote attackers to inject arbitrary web script or HTML via unspecified…	CWE-79 Cross-site Scripting	CVE-2007-6726	cpe:2.3:a:apache:struts:2.0.9:*			2026-04-23 09:35 2009-04-10	Show	GitHub Exploit DB Packet Storm

79	- 5.0	MEDIUM	Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 allow remote attackers to read arbitrary files via a ..%252f (encoded dot dot slash) in a URI …	CWE-22 Path Traversal	CVE-2008-6505	cpe:2.3:a:apache:struts:2.1.2_beta:* cpe:2.3:a:apache:struts:2.0.9:* cpe:2.3:a:apache:struts:2.0.8:* cpe:2.3:a…			2026-04-23 09:35 2009-03-23	Show	GitHub Exploit DB Packet Storm

80	- 5.0	MEDIUM	ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context obj…	CWE-20 Improper Input Validation	CVE-2008-6504	cpe:2.3:a:apache:struts:2.0.9:* cpe:2.3:a:apache:struts:2.0.8:* cpe:2.3:a:apache:struts:2.0.7:* cpe:2.3:a:apac…			2026-04-23 09:35 2009-03-23	Show	GitHub Exploit DB Packet Storm