Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2024-53677 PoC — Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks

Source
https://github.com/Q0LT/VM-CVE-2024-53677
Associated Vulnerability
Title:Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks (CVE-2024-53677)
Description:File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in  https://cwiki.apache.org/confluence/display/WW/S2-067
Description
Struts Vulnerability - CVE-2024-53677
File Snapshot

 [4.0K]  /data/pocs/169f2b33998145ce093ab58d66de1955fd7e7ae8
└── [4.0K]  struts-hello
    ├── [3.0K]  pom.xml
    └── [4.0K]  src
        └── [4.0K]  main
            ├── [4.0K]  java
            │   └── [4.0K]  com
            │       └── [4.0K]  example
            │           └── [4.0K]  action
            │               ├── [1.4K]  FileUploadAction.java
            │               └── [ 314]  HelloWorldAction.java
            ├── [4.0K]  resources
            │   └── [ 365]  struts.xml
            └── [4.0K]  webapp
                ├── [ 304]  fileUpload.jsp
                ├── [ 129]  hello.jsp
                ├── [ 333]  uploadSuccess.jsp
                └── [4.0K]  WEB-INF
                    └── [ 588]  web.xml

10 directories, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →