OpenSymphony XWork/Apache Struts2 - Remote Code Execution

Apache Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language OGNL expression when altSyntax is enabled, which allows remote attackers to cause a denial of service infini...

EUVD-2022-4099

Malicious code in bioql PyPI...

cn.sinapp.meutils:me-utils (=1.0), com.gnizr:gnizr-robot (=2.4.0-M4) +40 more potentially affected by CVE-2023-39022 via opensymphony:oscore (>=2.2.4 <=2.2.6)

opensymphony:oscore MAVEN version =2.2.4, =2.0, =2.1.5, =1.1.1, =1.1.3, =1.2, =1.2.3 and more Source cves: CVE-2023-39022 Source advisory: OSV:GHSA-859M-2PFX-FWHF...

CVE-2023-39022

oscore v2.2.6 and below was discovered to contain a code injection vulnerability in the component com.opensymphony.util.EJBUtils.createStateless. This vulnerability is exploited via passing an unchecked argument...

Improper Input Validation in OpenSymphony XWork

ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict pound sign references to context objects, which allows remote attackers to execute Object-Graph Navigation Language OGNL statements and...

GHSA-WXW2-2MX5-C5QF Improper Input Validation in OpenSymphony XWork

ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict pound sign references to context objects, which allows remote attackers to execute Object-Graph Navigation Language OGNL statements and...

br.net.woodstock.rockframework:rockframework-web (>=1.2.1 <=1.2.2), info.kfgodel:bean2bean (>=1.1.5 <=1.1.6) +27 more potentially affected by CVE-2008-6504 via com.opensymphony:xwork (>=2.1.0 <=2.1.1)

com.opensymphony:xwork MAVEN version =2.1.0, =1.2.1, =1.1.5, =1.1.6 - net.sf.fastupload:fastupload-core =0.4.7 - org.apache.struts:struts2-apps =2.1.2 - org.apache.struts:struts2-blank =2.1.2 - org.apache.struts:struts2-codebehind-plugin =2.1.2 - org.apache.struts:struts2-config-browser-plugin...

XWork in Apache Struts Reveals Sensitive Information

XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772....

com.google.code.struts2webflow:struts2webflow-parent (=1.0.4), com.google.code.struts2webflow:struts2webflow-plugin (=1.0.4) +23 more potentially affected by CVE-2007-4556 via opensymphony:xwork (>=2.0.0 <=2.0.3)

opensymphony:xwork MAVEN version =2.0.0, =2.0.5, =2.0.5, =2.0.5, =2.0.5, =2.0.5, =2.0.5, =2.0.5, =2.0.5, =2.0.5, =2.0.5, =2.0.8 and more Source cves: CVE-2007-4556 Source advisory: OSV:GHSA-H7MF-QRM9-2848...

OpenSymphony XWork vulnerable to improper input validation

XWork is an command-pattern framework that is used to power WebWork as well as other applications. Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language OGNL expression...

berkano:bean-displaytag (>=20050615.234814 <=20050616.015551), berkano:berkano-util (>=dev-20050722 <=dev-20050723) +28 more potentially affected by CVE-2007-4556 via opensymphony:xwork (>=1.0.3 <=1.2.2)

opensymphony:xwork MAVEN version =1.0.3, =20050615.234814, =dev-20050722, =2.1.5, =1.1.3, =1.0-alpha-1, =1.1-beta-1, =1.1-beta-1, =1.0-beta-2, =1.0-beta-3 - org.codehaus.jet:jet-web-engine =1.0-beta-2 and more Source cves: CVE-2007-4556 Source advisory: OSV:GHSA-H7MF-QRM9-2848...

Denial Of Service (DoS)

OpenSymphony XWork is vulnerable to denial of service. Object-Graph Navigation Language OGNL expressions are recursively evaluated when altSyntax is enabled. A remote attacker is able to submit a crafted input to cause an infinite loop which results in a denial of service condition. This...

Apache Struts 2 2.3.1 - Multiple Vulnerabilities

Apache Struts 2 2.3.1 - Multiple Vulnerabilities SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Multiple critical vulnerabilities in Apache Struts2 product: Apache Struts2 OpenSymphony XWork OpenSymphony OGNL vulnerab...

Apache Struts 2 &lt; 2.3.1 - Multiple Vulnerabilities

SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Multiple critical vulnerabilities in Apache Struts2 product: Apache Struts2 OpenSymphony XWork OpenSymphony OGNL vulnerable version: 2.3.1 and below fixed version: 2.3.1....

Apache Struts2 <= 2.3.1 Multiple Vulnerabilities

Exploit for multiple platform in category web applications SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Multiple critical vulnerabilities in Apache Struts2 product: Apache Struts2 OpenSymphony XWork OpenSymphony OGN...

Apache Struts 2, XWork, OpenSymphony WebWork Java Class Path Information Disclosure

Security Advisory: MVSA-11-007 http://www.ventuneac.net/security-advisories/MVSA-11-007 CVE: CVE-2011-2088 Vendors: Apache Software Foundation, OpenSymphony Products: Struts 2, XWork , WebWork Vulnerabilities: Java Class Path Information Disclosure Risk: Medium Attack Vector: From Remote...

CVE-2011-2088

XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772....

CVE-2011-1772

Multiple cross-site scripting XSS vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving 1 an action name, 2 the action attribute of an s:submit element, or 3 t...

Security feature bypass

XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772....

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving 1 an action name, 2 the action attribute of an s:submit element, or 3 t...