时间 | 节点 | |
---|---|---|
2020-12-08 16:01:46 | cassandra.cerias.purdue.edu | S2-061 - Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution - similar to S2-059. |
2020-10-07 21:44:00 | cassandra.cerias.purdue.edu | S2-001 - Remote code exploit on form validation error |
2020-10-07 21:43:59 | cassandra.cerias.purdue.edu | S2-002 - Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags |
2020-10-07 21:43:58 | cassandra.cerias.purdue.edu | S2-003 - XWork ParameterInterceptors bypass allows OGNL statement execution |
2020-10-07 21:43:57 | cassandra.cerias.purdue.edu | S2-004 - Directory traversal vulnerability while serving static content |
2020-10-07 21:43:55 | cassandra.cerias.purdue.edu | S2-005 - XWork ParameterInterceptors bypass allows remote command execution |
2020-10-07 21:43:54 | cassandra.cerias.purdue.edu | S2-006 - Multiple Cross-Site Scripting (XSS) in XWork generated error pages |
2020-10-07 21:43:53 | cassandra.cerias.purdue.edu | S2-007 - User input is evaluated as an OGNL expression when there's a conversion error |
2020-10-07 21:43:52 | cassandra.cerias.purdue.edu | S2-008 - Multiple critical vulnerabilities in Struts2 |
2020-10-07 21:43:51 | cassandra.cerias.purdue.edu | S2-009 - ParameterInterceptor vulnerability allows remote command execution |
2020-10-07 21:43:50 | cassandra.cerias.purdue.edu | S2-010 - When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes |
2020-10-07 21:43:49 | cassandra.cerias.purdue.edu | S2-011 - Long request parameter names might significantly promote the effectiveness of DOS attacks |
2020-10-07 21:43:47 | cassandra.cerias.purdue.edu | S2-012 - Showcase app vulnerability allows remote command execution |
2020-10-07 21:43:46 | cassandra.cerias.purdue.edu | S2-013 - A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution |
2020-10-07 21:43:45 | cassandra.cerias.purdue.edu | S2-014 - A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks |
2020-10-07 21:43:44 | cassandra.cerias.purdue.edu | S2-015 - A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution. |
2020-10-07 21:43:43 | cassandra.cerias.purdue.edu | S2-016 - A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution |
2020-10-07 21:43:42 | cassandra.cerias.purdue.edu | S2-017 - A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects |
2020-10-07 21:43:41 | cassandra.cerias.purdue.edu | S2-018 - Broken Access Control Vulnerability in Apache Struts2 |
2020-10-07 21:43:40 | cassandra.cerias.purdue.edu | S2-019 - Dynamic Method Invocation disabled by default |
2020-10-07 21:43:38 | cassandra.cerias.purdue.edu | S2-020 - Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) |
2020-10-07 21:43:37 | cassandra.cerias.purdue.edu | S2-021 - Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation |
2020-10-07 21:43:36 | cassandra.cerias.purdue.edu | S2-022 - Extends excluded params in CookieInterceptor to avoid manipulation of Struts' internals |
2020-10-07 21:43:35 | cassandra.cerias.purdue.edu | S2-023 - Generated value of token can be predictable |
2020-10-07 21:43:34 | cassandra.cerias.purdue.edu | S2-024 - Wrong excludeParams overrides those defined in DefaultExcludedPatternsChecker |
2020-10-07 21:43:32 | cassandra.cerias.purdue.edu | S2-025 - Cross-Site Scripting Vulnerability in Debug Mode and in exposed JSP files |
2020-10-07 21:43:31 | cassandra.cerias.purdue.edu | S2-026 - Special top object can be used to access Struts' internals |
2020-10-07 21:43:30 | cassandra.cerias.purdue.edu | S2-027 - TextParseUtil.translateVariables does not filter malicious OGNL expressions |
2020-10-07 21:43:29 | cassandra.cerias.purdue.edu | S2-028 - Use of a JRE with broken URLDecoder implementation may lead to XSS vulnerability in Struts 2 based web applications. |
2020-10-07 21:43:27 | cassandra.cerias.purdue.edu | S2-029 - Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. |
2020-10-07 21:43:26 | cassandra.cerias.purdue.edu | S2-030 - Possible XSS vulnerability in I18NInterceptor |
2020-10-07 21:43:25 | cassandra.cerias.purdue.edu | S2-031 - XSLTResult can be used to parse arbitrary stylesheet |
2020-10-07 21:43:24 | cassandra.cerias.purdue.edu | S2-032 - Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled. |
2020-10-07 21:43:23 | cassandra.cerias.purdue.edu | S2-033 - Remote Code Execution can be performed when using REST Plugin with ! operator when Dynamic Method Invocation is enabled. |
2020-10-07 21:43:22 | cassandra.cerias.purdue.edu | S2-034 - OGNL cache poisoning can lead to DoS vulnerability |
2020-10-07 21:43:21 | cassandra.cerias.purdue.edu | S2-035 - Action name clean up is error prone |
2020-10-07 21:43:20 | cassandra.cerias.purdue.edu | S2-036 - Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution (similar to S2-029) |
2020-10-07 21:43:19 | cassandra.cerias.purdue.edu | S2-037 - Remote Code Execution can be performed when using REST Plugin. |
2020-10-07 21:43:17 | cassandra.cerias.purdue.edu | S2-038 - It is possible to bypass token validation and perform a CSRF attack |
2020-10-07 21:43:16 | cassandra.cerias.purdue.edu | S2-039 - Getter as action method leads to security bypass |
2020-10-07 21:43:15 | cassandra.cerias.purdue.edu | S2-040 - Input validation bypass using existing default action method. |
2020-10-07 21:43:14 | cassandra.cerias.purdue.edu | S2-041 - Possible DoS attack when using URLValidator |
2020-10-07 21:43:13 | cassandra.cerias.purdue.edu | S2-042 - Possible path traversal in the Convention plugin |
2020-10-07 21:43:12 | cassandra.cerias.purdue.edu | S2-043 - Using the Config Browser plugin in production |
2020-10-07 21:43:11 | cassandra.cerias.purdue.edu | S2-044 - Possible DoS attack when using URLValidator |
2020-10-07 21:43:10 | cassandra.cerias.purdue.edu | S2-045 - Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser. |
2020-10-07 21:43:09 | cassandra.cerias.purdue.edu | S2-046 - Possible RCE when performing file upload based on Jakarta Multipart parser (similar to S2-045) |
2020-10-07 21:43:07 | cassandra.cerias.purdue.edu | S2-047 - Possible DoS attack when using URLValidator (similar to S2-044) |
2020-10-07 21:43:06 | cassandra.cerias.purdue.edu | S2-048 - Possible RCE in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series |
2020-10-07 21:43:05 | cassandra.cerias.purdue.edu | S2-049 - A DoS attack is available for Spring secured actions |
2020-10-07 21:43:04 | cassandra.cerias.purdue.edu | S2-050 - A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047) |
2020-10-07 21:43:02 | cassandra.cerias.purdue.edu | S2-051 - A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin |
2020-10-07 21:43:01 | cassandra.cerias.purdue.edu | S2-052 - Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads |
2020-10-07 21:43:00 | cassandra.cerias.purdue.edu | S2-053 - A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals |
2020-10-07 21:42:59 | cassandra.cerias.purdue.edu | S2-054 - A crafted JSON request can be used to perform a DoS attack when using the Struts REST plugin |
2020-10-07 21:42:58 | cassandra.cerias.purdue.edu | S2-055 - A RCE vulnerability in the Jackson JSON library |