CVE-2008-6504 Information

Feb 14, 2021 cve

Description

ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2 as used in Apache Struts and other products does not properly restrict (pound sign) references to context objects which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects as demonstrated by use of a \u0023 representation for the character.

Reference

http://fisheye6.atlassian.com/cru/CR-9/ http://issues.apache.org/struts/browse/WW-2692 http://jira.opensymphony.com/browse/XW-641 http://osvdb.org/49732 http://secunia.com/advisories/32495 http://secunia.com/advisories/32497 http://struts.apache.org/2.x/docs/s2-003.html http://www.securityfocus.com/bid/32101 http://www.vupen.com/english/advisories/2008/3003 http://www.vupen.com/english/advisories/2008/3004 https://exchange.xforce.ibmcloud.com/vulnerabilities/46328

Share on: