PT-2009-1974 · Opensymphony · Opensymphony Xwork

Meder Kydyraliev

Publicado

2009-03-23

Atualizado

2022-05-17

CVE-2008-6504

CVSS v2.0

5.0

Média

Vetor

AV:N/AC:L/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions OpenSymphony XWork versions 2.0.x through 2.0.5 OpenSymphony XWork versions 2.1.x through 2.1.1

Description The issue allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects. This is due to the ParametersInterceptor in OpenSymphony XWork not properly restricting # (pound sign) references to context objects.

Recommendations For OpenSymphony XWork versions 2.0.x through 2.0.5, update to version 2.0.6 or later. For OpenSymphony XWork versions 2.1.x through 2.1.1, update to version 2.1.2 or later.

Exploit

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

CVE-2008-6504

GHSA-WXW2-2MX5-C5QF

Produtos afetados

Opensymphony Xwork

PT-2009-1974 · Opensymphony · Opensymphony Xwork

CVE-2008-6504

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 17