CVE-2013-1965

Published: Jul 10, 2013Modified: Apr 29, 2026

9.3

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability: 8.6 / Impact: 10.0

Source: NVD

Description

Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.

Affected (2)

Products: Apache: Struts, Struts2 Showcase

Apache

2 products

Struts

Struts2 Showcase

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Apache Struts	From 2.0.0 to 2.3.14.1
Apache Struts2 Showcase	From 2.0.0 to 2.3.13

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (6)

http://struts.apache.org/development/2.x/docs/s2-012.html

Source: secalert@redhat.com

Vendor Advisory

http://www.securityfocus.com/bid/60082

Source: secalert@redhat.com

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=967655

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

http://struts.apache.org/development/2.x/docs/s2-012.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.securityfocus.com/bid/60082

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=967655

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

Timeline

No history available yet.