|
|
CVE Reference: CVE-2008-6504 |
|
| NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE. | |
|
Original Page at CVE MITRE: CVE-2008-6504 |
|
|
Description: ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character. |
|
|
CVE Status: Candidate |
|
|
References: XF http://xforce.iss.net/xforce/xfdb/46328 SAID Secunia Advisory: SA32495 Secunia Advisory: SA32497 OSVDB 49732 CONFIRM http://struts.apache.org/2.x/docs/s2-003.html http://jira.opensymphony.com/browse/XW-641 http://issues.apache.org/struts/browse/WW-2692 http://fisheye6.atlassian.com/cru/CR-9/ BID 32101 |
|
| Return to the previous page. |
