CVE-2008-6504
Improper Input Validation in OpenSymphony XWork
EPSS 65.1%
Description
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
How to fix CVE-2008-6504
To remediate CVE-2008-6504, upgrade the affected package to a fixed version below.
- Maven/com.opensymphony:xwork—upgrade to 2.0.6 or later
Is CVE-2008-6504 being exploited?
Likely — EPSS is 65.1%, placing CVE-2008-6504 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (1)
- from 0, < 2.0.6