CVE-2007-4556

Name of the Vulnerable Software and Affected Versions OpenSymphony XWork versions 1.2.3 and earlier OpenSymphony XWork versions 2.x prior to 2.0.4

Description The issue allows remote attackers to cause a denial of service or execute arbitrary code via form input beginning with a "%{" sequence and ending with a "}" character, due to the recursive evaluation of all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled.

Recommendations For OpenSymphony XWork versions 1.2.3 and earlier, update to version 1.2.3 or later. For OpenSymphony XWork versions 2.x prior to 2.0.4, update to version 2.0.4 or later. As a temporary workaround, consider disabling the altSyntax feature until a patch is available. Restrict access to form inputs that begin with a "%{" sequence and end with a "}" character to minimize the risk of exploitation.