GHSA-WXW2-2MX5-C5QF Improper Input Validation in OpenSymphony XWork

ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict pound sign references to context objects, which allows remote attackers to execute Object-Graph Navigation Language OGNL statements and...

Improper Input Validation in OpenSymphony XWork

ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict pound sign references to context objects, which allows remote attackers to execute Object-Graph Navigation Language OGNL statements and...

Server side object manipulation in Apache Struts

OGNL provides, among other features, extensive expression evaluation capabilities. This vulnerability allows a malicious user to bypass the ''-usage protection built into the ParametersInterceptor, thus being able to manipulate server side context objects. This behavior was already addressed in...

GHSA-X5FC-PGPX-59J5 Server side object manipulation in Apache Struts

OGNL provides, among other features, extensive expression evaluation capabilities. This vulnerability allows a malicious user to bypass the ''-usage protection built into the ParametersInterceptor, thus being able to manipulate server side context objects. This behavior was already addressed in...

GHSA-2HJR-FG6C-V2H6 Unauthorized access to Class instance in Jinjava

Jinjava before 2.5.4 allow access to arbitrary classes by calling Java methods on objects passed into a Jinjava context. This could allow for abuse of the application class loader, including Arbitrary File Disclosure...

CVE-2020-4076 Context isolation bypass via leaked cross-context objects in Electron

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions...

XWork 2.0.x 'ParameterInterceptor' Class OGNL Security Bypass Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/32101/info XWork is prone to a security-bypass vulnerability because it fails to adequately handle user-supplied input. Attackers can exploit this issue to manipulate server-side context objects with the privileges of the...

Apache Struts2/XWork Remote Command Execution Vulnerability

This host is running Struts and is prone to remote command execution vulnerability. OpenVAS Vulnerability Test $Id: gbapachestrutsxworkcmdexecvuln.nasl 5263 2017-02-10 13:45:51Z teissa $ Apache Struts2/XWork Remote Command Execution Vulnerability Authors: Sooraj KS Copyright: Copyright c 2010...

CVE-2010-1870

The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "" protection mechanis...

CVE-2010-1870

The CVE-2010-1870 entry covers OGNL expression evaluation in XWork (Struts 2.0.0–2.1.8.1) with a permissive whitelist that allows remote modification of server-side context objects and bypass of the # protection via OGNL context variables (e.g., #context, #root, #this, etc.). Cisco advisory notes...

CVE-2010-1870

The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "" protection mechanis...

Design/Logic Flaw

ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict pound sign references to context objects, which allows remote attackers to execute Object-Graph Navigation Language OGNL statements and...

XWork < 2.0.11.2 - 'ParameterInterceptor' Class OGNL Security Bypass

source: https://www.securityfocus.com/bid/32101/info XWork is prone to a security-bypass vulnerability because it fails to adequately handle user-supplied input. Attackers can exploit this issue to manipulate server-side context objects with the privileges of the user running the application...