CVE-2008-6504

ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict pound sign references to context objects, which allows remote attackers to execute Object-Graph Navigation Language OGNL statements and...

CVE-2008-6505

CVE-2008-6505 affects Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3. The vulnerability is a directory traversal issue triggered by a encoded dot-dot-slash sequence in a URI with a /struts/ path, related to (1) FilterDispatcher in 2.0.x and (2) DefaultStaticContentLoader in 2.1.x. Explo...

CVE-2008-6504

CVE-2008-6504 affects OpenSymphony XWork (ParameterInterceptor) used in Apache Struts: OGNL refs to # context objects are not properly restricted, enabling remote OGNL evaluation and modification of server-side objects. Affected: XWork 2.0.x prior to 2.0.6 and 2.1.x prior to 2.1.2; vulnerability ...

CVE-2008-6505

Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 allow remote attackers to read arbitrary files via a ..%252f encoded dot dot slash in a URI with a /struts/ path, related to 1 FilterDispatcher in 2.0.x and 2 DefaultStaticContentLoader in 2.1...

Apache Struts 2 < 2.0.12 / 2.1.3 Dispatcher Directory Traversal

The remote web server is using Apache Struts, a web application framework for developing Java EE web applications. The version of Apache Struts 2 installed on the remote host fails to properly decode and normalize the request path before serving static content. Using double-encoded directory...

Apache Struts 2 devMode Information Disclosure

The remote web server is using Apache Struts 2, a web application framework for developing Java EE web applications. The version of Apache Struts 2 installed on the remote host is configured to operate in development mode devMode. While this environment can help speed up development of web...

Update Protection against Apache Struts Security Bypass and Directory Traversal

A directory traversal vulnerability has been reported in Apache Struts. Apache Struts is a Java-based web application development framework. This vulnerability allows an attacker to access normally-inaccessible files and directories through a specially-created HTTP request, leading to potential...

XWork 'ParameterInterceptor'类OGNL安全绕过漏洞

BUGTRAQ ID: 32101 CNCAN ID：CNCAN-2008110505 XWork是一款命令模式框架，用于支持Struts 2及其他应用。 XWork存在设计问题，远程攻击者可以利用漏洞绕过安全限制，操作服务端上下文对象。 XWork ParametersInterceptor实现存在安全绕过问题，OGNL是复杂的语言提供大量特性，如使用表达式评估： http://www.ognl.org/2.6.9/Documentation/html/LanguageGuide/expressionEvaluation.html...

XWork 2.0.11.2 - ParameterInterceptor Class OGNL Security Bypass

XWork 2.0.11.2 - ParameterInterceptor Class OGNL Security Bypass source: https://www.securityfocus.com/bid/32101/info XWork is prone to a security-bypass vulnerability because it fails to adequately handle user-supplied input. Attackers can exploit this issue to manipulate server-side context...

Struts 2.0.11 - Multiple Directory Traversal Vulnerabilities

Struts 2.0.11 - Multiple Directory Traversal Vulnerabilities source: https://www.securityfocus.com/bid/32104/info Struts is prone to multiple directory-traversal vulnerabilities because the application fails to sufficiently sanitize user-supplied input. An attacker can exploit these issues using...

XWork &lt; 2.0.11.2 - &#039;ParameterInterceptor&#039; Class OGNL Security Bypass

source: https://www.securityfocus.com/bid/32101/info XWork is prone to a security-bypass vulnerability because it fails to adequately handle user-supplied input. Attackers can exploit this issue to manipulate server-side context objects with the privileges of the user running the application...

Apache Struts Validator allows to bypass input data validation

Overview Apache Struts is a Web application framework from the Apache Software Foundation. Apache Struts contains a vulnerability allowing to bypass input data validation by the Validator. Impact Depending on the web application, an attacker may be able to manipulate unexpected operations by...

Input validation

Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language OGNL expression when altSyntax is enabled, which allows remote attackers to cause a denial of service infinite loop...

CVE-2007-4556

Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language OGNL expression when altSyntax is enabled, which allows remote attackers to cause a denial of service infinite loop...

CVE-2007-4556

Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language OGNL expression when altSyntax is enabled, which allows remote attackers to cause a denial of service infinite loop...

CVE-2007-4556

OpenSymphony XWork (used by WebWork and Apache Struts) before 1.2.3, and 2.x before 2.0.4, evaluates inputs as OGNL expressions when altSyntax is enabled. The underlying issue is recursive OGNL processing, which can lead to a denial of service (infinite loop) and, in some cases, remote code execu...

Apache Struts Error Response Cross-Site Scripting Vulnerability

Struts is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the...

security flaw

ActionForm in Apache Software Foundation ASF Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to...

struts LookupDispatchAction XSS

Cross-site scripting XSS vulnerability in 1 LookupDispatchAction and possibly 2 DispatchAction and 3 ActionDispatcher in Apache Software Foundation ASF Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting...

Moderate: Red Hat Security Advisory: struts security update for Red Hat Application Server

An updated Struts package that fixes several security issues is now available for Red Hat Application Server. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Struts is a framework for building web applications with Java. A validation bug was...