Andreas Nusser

#13178of 53,633
20Total CVSS
Vulnerabilities · 3
Medium
3
PT-2012-2538
6.8
2012-01-08
Apache · Apache Struts · CVE-2012-0394
**Name of the Vulnerable Software and Affected Versions** Apache Struts versions prior to 2.3.1.1 **Description** The issue allows remote attackers to execute arbitrary commands via unspecified vectors when the DebuggingInterceptor component is used in developer mode. The vendor characterizes this behavior as not a security vulnerability itself. **Recommendations** For versions prior to 2.3.1.1, update to version 2.3.1.1 or later to resolve the issue. As a temporary workaround, consider disabling the developer mode to minimize the risk of exploitation.
PT-2012-1240
6.4
2012-01-02
Apache · Apache Struts · CVE-2012-0393
**Name of the Vulnerable Software and Affected Versions** Apache Struts versions prior to 2.3.1.1 **Description** The issue is related to the ParameterInterceptor component, which does not properly restrict access to public constructors. This allows remote attackers to create or overwrite arbitrary files by crafting a parameter that triggers the creation of a Java object. The vulnerability is associated with insufficient access control in the ParameterInterceptor component, enabling remote attackers to write arbitrary files to the system. **Recommendations** For versions prior to 2.3.1.1, update to version 2.3.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the ParameterInterceptor component to minimize the risk of exploitation.
PT-2011-1252
6.8
2011-12-25
Apache · Apache Struts · CVE-2012-0392
**Name of the Vulnerable Software and Affected Versions** Apache Struts versions prior to 2.3.1.1 **Description** The issue is related to the CookieInterceptor component, which does not utilize a parameter-name whitelist. This allows remote attackers to execute arbitrary commands by crafting a specific HTTP Cookie header, triggering Java code execution through a static method. The vulnerability is associated with inadequate access control in the implementation of the CookieInterceptor class. **Recommendations** For versions prior to 2.3.1.1, update to version 2.3.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the CookieInterceptor component to minimize the risk of exploitation.