5
CVE-2008-6504
- EPSS 65.08%
- Published 23.03.2009 14:19:12
- Last modified 09.04.2025 00:30:58
- Source cve@mitre.org
- Teams watchlist Login
- Open Login
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
Data is provided by the National Vulnerability Database (NVD)
Opensymphony ≫ Xwork Version2.0.0
Opensymphony ≫ Xwork Version2.0.1
Opensymphony ≫ Xwork Version2.0.2
Opensymphony ≫ Xwork Version2.0.3
Opensymphony ≫ Xwork Version2.0.4
Opensymphony ≫ Xwork Version2.0.5
Opensymphony ≫ Xwork Version2.1.0
Opensymphony ≫ Xwork Version2.1.1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
Type | Source | Score | Percentile |
---|---|---|---|
EPSS | FIRST.org | 65.08% | 0.983 |
Source | Base Score | Exploit Score | Impact Score | Vector string |
---|---|---|---|---|
nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:N/I:P/A:N
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.