Web application abuses : Apache Struts Security Update (S2-002, S2-003)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.800278

Categoría: Web application abuses

Título: Apache Struts Security Update (S2-002, S2-003)

Resumen: Apache Struts is prone to multiple vulnerabilities.

Descripción: Summary:
Apache Struts is prone to multiple vulnerabilities.

Vulnerability Insight:
- CVE-2008-6504: OGNL provides, among other features, extensive
expression evaluation capabilities. The vulnerability allows a malicious user to bypass the
'#'-usage protection built into the ParametersInterceptor, thus being able to manipulate server
side context objects.

- CVE-2008-6682: This flaw is due to improper sanitization of the user supplied input in ''
and '' tag which doesn't encode the URL parameter when specified in the action attribute
which causes XSS attacks.

Vulnerability Impact:
- CVE-2008-6504: Remote server context manipulation

- CVE-2008-6682: Injection of malicious client side code

Affected Software/OS:
Apache Struts 2.0.0 through 2.1.8.1.

Solution:
Update to version 2.2.1 or later.

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2008-6504
BugTraq ID: 32101
http://www.securityfocus.com/bid/32101
http://osvdb.org/49732
http://secunia.com/advisories/32495
http://secunia.com/advisories/32497
http://www.vupen.com/english/advisories/2008/3003
http://www.vupen.com/english/advisories/2008/3004
XForce ISS Database: xwork-parameterinterceptor-security-bypass(46328)
https://exchange.xforce.ibmcloud.com/vulnerabilities/46328
Common Vulnerability Exposure (CVE) ID: CVE-2008-6682
BugTraq ID: 34686
http://www.securityfocus.com/bid/34686

Copyright Copyright (C) 2009 Greenbone Networks GmbH

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.800278
Categoría:	Web application abuses
Título:	Apache Struts Security Update (S2-002, S2-003)
Resumen:	Apache Struts is prone to multiple vulnerabilities.
Descripción:	Summary: Apache Struts is prone to multiple vulnerabilities. Vulnerability Insight: - CVE-2008-6504: OGNL provides, among other features, extensive expression evaluation capabilities. The vulnerability allows a malicious user to bypass the '#'-usage protection built into the ParametersInterceptor, thus being able to manipulate server side context objects. - CVE-2008-6682: This flaw is due to improper sanitization of the user supplied input in '' and '' tag which doesn't encode the URL parameter when specified in the action attribute which causes XSS attacks. Vulnerability Impact: - CVE-2008-6504: Remote server context manipulation - CVE-2008-6682: Injection of malicious client side code Affected Software/OS: Apache Struts 2.0.0 through 2.1.8.1. Solution: Update to version 2.2.1 or later. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2008-6504 BugTraq ID: 32101 http://www.securityfocus.com/bid/32101 http://osvdb.org/49732 http://secunia.com/advisories/32495 http://secunia.com/advisories/32497 http://www.vupen.com/english/advisories/2008/3003 http://www.vupen.com/english/advisories/2008/3004 XForce ISS Database: xwork-parameterinterceptor-security-bypass(46328) https://exchange.xforce.ibmcloud.com/vulnerabilities/46328 Common Vulnerability Exposure (CVE) ID: CVE-2008-6682 BugTraq ID: 34686 http://www.securityfocus.com/bid/34686
Copyright	Copyright (C) 2009 Greenbone Networks GmbH