2 matches found
GHSA-V8J6-6C2R-R27C Expression Language Injection in Apache Struts
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %... syntax. Using forced OGNL evaluation on untrusted user input can lead to a...
PT-2022-2374
Name of the Vulnerable Software and Affected Versions Apache Struts versions 2.0.0 through 2.5.29 Description The issue arises from incorrect handling of Object Graph Navigation Language expressions, which can lead to security degradation. If a developer uses forced OGNL evaluation with the %...