5
CVE-2008-6504
- EPSS 65.08%
- Veröffentlicht 23.03.2009 14:19:12
- Zuletzt bearbeitet 09.04.2025 00:30:58
- Quelle cve@mitre.org
- Teams Watchlist Login
- Unerledigt Login
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Opensymphony ≫ Xwork Version2.0.0
Opensymphony ≫ Xwork Version2.0.1
Opensymphony ≫ Xwork Version2.0.2
Opensymphony ≫ Xwork Version2.0.3
Opensymphony ≫ Xwork Version2.0.4
Opensymphony ≫ Xwork Version2.0.5
Opensymphony ≫ Xwork Version2.1.0
Opensymphony ≫ Xwork Version2.1.1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 65.08% | 0.983 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:N/I:P/A:N
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.