Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Struts Number Of NVD 84 CRITICAL 15 HIGH 34 MEDIUM 34 LOW 1
URL https://struts.apache.org
Explanation It is an MVC framework for web applications for Java developed by the Apache Software Foundation.
It is open source and can be used free of charge.

It has been found several times to have highly urgent vulnerabilities such as the ability to execute commands remotely, and incidents such as information leaks have occurred by exploiting these vulnerabilities.

The development of Struts1 started in early 2000, and quite a number of companies have been using it.

Struts1 is no longer supported.
Tag
  • Java
  • Apache License v2.0
Add Information URL
No Type Name URL
1 https://struts.apache.org/struts1eol-announcement.html
2 https://struts.apache.org/download.cgi
3 https://struts.apache.org/releases.html
4 https://github.com/apache/struts1
5 https://github.com/apache/struts
6 https://cwiki.apache.org/confluence/display/WW/Security+Bulletins
7 https://struts.apache.org/struts23-eol-announcement
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
51 Struts 6 6.7.0 Nov. 17, 2024 June 6, 2022 1 1 1 0
52 Struts 2.5 2.5.33 April 4, 2022 May 5, 2016 Oct. 30, 2023 April 30, 2024 7 9 5 0
53 Struts 2.3 2.3.37 Dec. 30, 2018 Dec. 9, 2011 Nov. 14, 2018 April 14, 2019 14 26 19 0
54 Struts 2.2 2.2.3.1 Sept. 7, 2011 June 29, 2010 Dec. 18, 2011 10 21 20 1
55 Struts 2.1 2.1.8.1 Nov. 11, 2009 Oct. 29, 2007 Dec. 18, 2011 9 21 21 1
56 Struts 2.0 2.0.15 Nov. 17, 2008 Sept. 25, 2006 Dec. 18, 2011 9 20 23 1
57 Struts 1 1.3.10 Dec. 7, 2014 May 1, 2000 April 5, 2013 0 7 5 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
51 -
5.0 		MEDIUM The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. NVD-CWE-noinfo
CVE-2014-0094 cpe:2.3:a:apache:struts:*:* 2.0.0 2.3.16.1 2024-11-21 11:01
2014-03-11 		Show GitHub Exploit DB Packet Storm
52 -
4.3 		MEDIUM Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (… CWE-79
Cross-site Scripting 		CVE-2013-6348 cpe:2.3:a:apache:struts:2.3.15.3:* 2024-11-21 10:59
2013-11-3 		Show GitHub Exploit DB Packet Storm
53 -
10.0 		HIGH Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. CWE-16
NVD-CWE-noinfo
CWE-284
Configuration
Improper Access Control 		CVE-2013-4316 cpe:2.3:a:apache:struts:2.3.8:*
cpe:2.3:a:apache:struts:2.3.7:*
cpe:2.3:a:apache:struts:2.3.4:*
cpe:2.3:a:apac… 		2024-11-21 10:55
2013-10-1 		Show GitHub Exploit DB Packet Storm
54 -
5.8 		MEDIUM Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix. CWE-264
Permissions, Privileges, and Access Controls 		CVE-2013-4310 cpe:2.3:a:apache:struts:2.3.8:*
cpe:2.3:a:apache:struts:2.3.7:*
cpe:2.3:a:apache:struts:2.3.4:*
cpe:2.3:a:apac… 		2024-11-21 10:55
2013-10-1 		Show GitHub Exploit DB Packet Storm
55 9.8
9.3 		CRITICAL
Network 		Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix. CWE-74
Injection 		CVE-2013-2251 cpe:2.3:a:apache:struts:*:* 2.0.0 2.3.15 2026-04-22 23:39
2013-07-20 		Show GitHub Exploit DB Packet Storm
56 -
5.8 		MEDIUM Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter usin… CWE-20
 Improper Input Validation  		CVE-2013-2248 cpe:2.3:a:apache:struts:2.3.8:*
cpe:2.3:a:apache:struts:2.3.7:*
cpe:2.3:a:apache:struts:2.3.4:*
cpe:2.3:a:apac… 		2024-11-21 10:51
2013-07-20 		Show GitHub Exploit DB Packet Storm
57 -
9.3 		HIGH Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to b… CWE-94
Code Injection 		CVE-2013-2135 cpe:2.3:a:apache:struts:*:* 2.0.0 2.3.14.3 2024-11-21 10:51
2013-07-17 		Show GitHub Exploit DB Packet Storm
58 -
9.3 		HIGH Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vuln… CWE-94
Code Injection 		CVE-2013-2134 cpe:2.3:a:apache:struts:*:* 2.0.0 2.3.14.3 2024-11-21 10:51
2013-07-17 		Show GitHub Exploit DB Packet Storm
59 8.1
9.3 		HIGH
Network 		Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) … CWE-94
Code Injection 		CVE-2013-2115 cpe:2.3:a:apache:struts:*:* 2.0.0 2.3.14.1 2024-11-21 10:51
2013-07-11 		Show GitHub Exploit DB Packet Storm
60 -
9.3 		HIGH Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) … CWE-94
Code Injection 		CVE-2013-1966 cpe:2.3:a:apache:struts:*:* 2.0.0 2.3.14.1 2024-11-21 10:50
2013-07-11 		Show GitHub Exploit DB Packet Storm