5
CVE-2008-6504
- EPSS 39.4%
- Veröffentlicht 23.03.2009 14:19:12
- Zuletzt bearbeitet 16.06.2026 23:02:20
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Opensymphony ≫ Xwork Version2.0.0
Opensymphony ≫ Xwork Version2.0.1
Opensymphony ≫ Xwork Version2.0.2
Opensymphony ≫ Xwork Version2.0.3
Opensymphony ≫ Xwork Version2.0.4
Opensymphony ≫ Xwork Version2.0.5
Opensymphony ≫ Xwork Version2.1.0
Opensymphony ≫ Xwork Version2.1.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 39.4% | 0.984 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:N/I:P/A:N
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
http://fisheye6.atlassian.com/cru/CR-9/
http://issues.apache.org/struts/browse/WW-2692
http://jira.opensymphony.com/browse/XW-641
http://osvdb.org/49732
http://secunia.com/advisories/32495
http://secunia.com/advisories/32497
http://struts.apache.org/2.x/docs/s2-003.html
http://www.securityfocus.com/bid/32101
http://www.vupen.com/english/advisories/2008/3003
http://www.vupen.com/english/advisories/2008/3004
https://exchange.xforce.ibmcloud.com/vulnerabilities/46328