92 matches found
Webwork 2 code injection vulnerability
We have discovered a vulnerability in WebWork 2, which is a part of the Struts web framework. In specific circumstances, attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. In case of Bamboo, the attacker needs to be able to access Bambo...
Webwork 2 code injection vulnerability
We have discovered a vulnerability in WebWork 2, which is a part of the Struts web framework. In specific circumstances, attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. In case of Bamboo, the attacker needs to be able to access Bambo...
Webwork direct method invocation can bypass validatingStack through Action aliases
WebWork supports the concept of action aliases, which allow a single action class to serve requests mapping to different names. This allows a developer to reuse the same action logic, but provide different results based on interceptors. When an action is invoked, Webwork will typically call its...
Webwork direct method invocation can bypass validatingStack through Action aliases
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-27294. panel WebWork supports the concept of action aliases, which allow a single action class to serve requests mapping to...
Webwork direct method invocation can bypass validatingStack through Action aliases
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-27294. panel WebWork supports the concept of action aliases, which allow a single action class to serve requests mapping to...
Webwork direct method invocation can bypass validatingStack through Action aliases
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-27294. panel WebWork supports the concept of action aliases, which allow a single action class to serve requests mapping to...
GH Webwork actions are vulnerable to XSRF.
GHCreateNewIssue.jspa is not protected against XSRF attacks. Impact: It is possible for an attacker to make a victim create new issues on the victim's JIRA instance through this bug in GHCreateNewIssue.jspa...
GH Webwork actions are vulnerable to XSRF.
GHCreateNewIssue.jspa is not protected against XSRF attacks. Impact: It is possible for an attacker to make a victim create new issues on the victim's JIRA instance through this bug in GHCreateNewIssue.jspa...
GH Webwork actions are vulnerable to XSRF.
GHCreateNewIssue.jspa is not protected against XSRF attacks. Impact: It is possible for an attacker to make a victim create new issues on the victim's JIRA instance through this bug in GHCreateNewIssue.jspa...
Struts2 and Webwork remote command execution vulnerability analysis-vulnerability warning-the black bar safety net
The vulnerability discovered by the publisher of the POC, and can not affect the xwork 2.1.2 prior to some versionthis version before some of the versions below will be collectively referred to as the old version, then called the new version, such as struts 2.0.14that is, the struts patch A N...
CVE-2011-2088
XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772....
CVE-2011-1772
Multiple cross-site scripting XSS vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving 1 an action name, 2 the action attribute of an s:submit element, or 3 t...
CVE-2011-2088
XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772....
Apache Struts2 XWork ParameterInterceptor security bypass
Added: 08/05/2010 CVE: CVE-2010-1870 BID: 41592 OSVDB: 66280 Background Apache Struts is a Java web application framework. Apache Struts version 2 is based on WebWork 2. WebWork 2 uses XWork to invoke actions based on HTTP parameter names. The ParameterInterceptor component of XWork runs the...
Apache Struts2 XWork ParameterInterceptor security bypass
Added: 08/05/2010 CVE: CVE-2010-1870 BID: 41592 OSVDB: 66280 Background Apache Struts is a Java web application framework. Apache Struts version 2 is based on WebWork 2. WebWork 2 uses XWork to invoke actions based on HTTP parameter names. The ParameterInterceptor component of XWork runs the...
Struts2/XWork < 2.2.0 remote execution of arbitrary code vulnerability analysis and patch-vulnerability warning-the black bar safety net
Neeao's Blog http://neeao.com/ : 1. exploit-db website on 7 month 1 4 day broke aStruts2 remote execution of arbitrary code vulnerabilityvulnerability, hazard of large, can be described as a crack shot, directly to the root, as long as the use Struts2 and webwork framework of the system for the...
Design/Logic Flaw
The WebWork 1 web application framework in Atlassian JIRA before 3.13.2 allows remote attackers to invoke exposed public JIRA methods via a crafted URL that is dynamically transformed into method calls, aka "WebWork 1 Parameter Injection Hole."...
CVE-2008-6531
The WebWork 1 web application framework in Atlassian JIRA before 3.13.2 allows remote attackers to invoke exposed public JIRA methods via a crafted URL that is dynamically transformed into method calls, aka "WebWork 1 Parameter Injection Hole."...
CVE-2008-6531
The WebWork 1 web application framework in Atlassian JIRA before 3.13.2 allows remote attackers to invoke exposed public JIRA methods via a crafted URL that is dynamically transformed into method calls, aka "WebWork 1 Parameter Injection Hole."...
CVE-2008-6531
Affected software: Atlassian Jira (