2549 matches found
CVE-2013-1966
CVE-2013-1966 (and related Struts 2 OGNL flaws) enables remote code execution via crafted requests that abuse includeParams handling in the URL or A tag. Public docs in IBM advisories note affected IBM products (e.g., Sterling Order Management, Storwize Unified GUI/Storwize platforms) and specify...
CVE-2013-2115
CVE-2013-2115 is an Apache Struts 2 remote code execution vulnerability. It allows an attacker to run OGNL code by sending a crafted request that is mishandled when includeParams is used in either the URL or an A tag, stemming from an incomplete fix for CVE-2013-1966. Connected IBM advisories ind...
Webwork 2 code injection vulnerability
We have discovered a vulnerability in WebWork 2, which is a part of the Struts web framework. In specific circumstances, attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. In case of Fisheye, the attacker needs to be able to access...
Webwork 2 code injection vulnerability
We have discovered a vulnerability in WebWork 2, which is a part of the Struts web framework. In specific circumstances, attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. In case of Fisheye, the attacker needs to be able to access...
Webwork 2 code injection vulnerability
We have discovered a vulnerability in WebWork 2, which is a part of the Struts web framework. In specific circumstances, attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. In case of Bamboo, the attacker needs to be able to access Bambo...
Webwork 2 code injection vulnerability
We have discovered a vulnerability in WebWork 2, which is a part of the Struts web framework. In specific circumstances, attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. In case of Bamboo, the attacker needs to be able to access Bambo...
Apache Struts 2 Crafted Parameter Arbitrary OGNL Expression Remote Command Execution
The remote web application appears to use Struts 2, a web framework that utilizes OGNL Object-Graph Navigation Language as an expression language. Due to a flaw in the evaluation of an OGNL expression, a remote, unauthenticated attacker can exploit this issue to execute arbitrary commands on the...
Apache Struts 2 OGNL Expression Handling Double Evaluation Error Remote Command Execution
The remote web application appears to use Struts 2, a web framework that utilizes OGNL Object-Graph Navigation Language as an expression language. Due to a flaw in the evaluation of an OGNL expression, a remote, unauthenticated attacker can exploit this issue to execute arbitrary commands on the...
Apache Struts OGNL表达式注入漏洞(CVE-2013-2134)
BUGTRAQ ID: 60346 CVECAN ID: CVE-2013-2134 Struts2 是第二代基于Model-View-Controller MVC模型的java企业级web应用框架。它是WebWork和Struts社区合并后的产物。 Apache Struts 2.0.0-2.3.14.3存在远程OGNL表达式注入漏洞,远程攻击者可利用此漏洞操作服务器端对象并在受影响应用上下文中执行任意命令。此漏洞源于通配符匹配错误。 0 Apache Group Struts 2.x 厂商补丁: Apache Group ------------ Apache...
struts 2.3.14.2 命令执行漏洞
Apache Struts框架是一个基于Java Servlets,JavaBeans和JavaServer PagesJSP的Web应用框架的开源项目,Struts基于Model-View-ControllerMVC的设计模式,可以用来构件复杂的Web应用.Apache Struts 2.3.14.3(不含)以前版本中, 利用Action名字的模糊匹配特性可以触发命令执行攻击。 Struts 2.3.14.3...
Apache Struts - OGNL Expression Injection
source: https://www.securityfocus.com/bid/60345/info Apache Struts is prone to a remote OGNL expression injection vulnerability. Remote attackers can exploit this issue to manipulate server-side objects and execute arbitrary commands within the context of the application. Apache Struts 2.0.0...
Apache Struts - OGNL Expression Injection
Apache Struts - OGNL Expression Injection source: https://www.securityfocus.com/bid/60345/info Apache Struts is prone to a remote OGNL expression injection vulnerability. Remote attackers can exploit this issue to manipulate server-side objects and execute arbitrary commands within the context of...
Apache Struts - includeParams Remote Code Execution (Metasploit)
This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit web site for more information on licensing and terms of use. http://metasploit.com/ require 'msf/core' class Metasploit3 'Apache Struts includeParams Remote Co...
Apache Struts URL and Anchor tag includeParams OGNL Command Execution (CVE-2013-1966; CVE-2013-2115)
The url/a tags resolve every parameter passed to them, allowing arbitrary OGNL expressions encoded into the URL to be evaluated bypassing both Struts and OGNL library protections. Successful exploitation will allow an attacker to execute arbitrary commands in the context of the server...
Apache Struts includeParams Remote Code Execution
This Metasploit module exploits a remote command execution vulnerability in Apache Struts versions prior to 2.3.14.2. A specifically crafted request parameter can be used to inject arbitrary OGNL code into the stack bypassing Struts and OGNL library protections. When targeting an action which...
Apache Struts includeParams Remote Code Execution
This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit web site for more information on licensing and terms of use. http://metasploit.com/ require 'msf/core' class Metasploit3 'Apache Struts includeParams Remote Co...
Apache Struts includeParams Remote Code Execution
This module exploits a remote command execution vulnerability in Apache Struts versions 'Apache Struts includeParams Remote Code Execution', 'Description' = %q This module exploits a remote command execution vulnerability in Apache Struts versions 2.3.14.2. A specifically crafted request paramete...
Apache Struts 'ParameterInterceptor'类OGNL安全绕过漏洞
Bugtraq ID:60082 Apache Struts框架是一个基于Java Servlets,JavaBeans, 和 JavaServer Pages JSP的Web应用框架的开源项目。 Apache Struts "ParameterInterceptor"类存在一个错误,允许远程攻击者利用漏洞修改服务端对象,如通过特制的OGNL表达式来执行任意命令。 0 Apache Struts 2.x 厂商解决方案 Apache Struts 2.3.14.1已经修复此漏洞,建议用户下载更新: http://struts.apache.org/...
Apache Struts 'includeParams' 不完整修复安全绕过漏洞(CVE-2013-2115)
BUGTRAQ ID: 60167 CVECAN ID: CVE-2013-2115 Struts2 是第二代基于Model-View-Controller MVC模型的java企业级web应用框架。它是WebWork和Struts社区合并后的产物。 Apache Struts 2.0.0-2.3.14.1存在未彻底修复的安全措施绕过漏洞(CVE-2013-1966),攻击者可利用此漏洞以当前用户权限执行任意代码。此漏洞已经在Struts 2.3.14.2中修复。 0 Apache Group Struts2 2.0.0 - 2.3.14.1 厂商补丁: Apache ------...
Apache-Struts IncludeParams < 2.3.14.1 RCE Linux
Apache-Struts2 / OpenSymphony-Xwork RCE Vulnerability Type: Remote Command Execution For the exploit source code contact DSquare Security sales team...