Description
GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData within a wps:Execute request, as exploited in the wild in June 2023. NOTE: the vendor states that they are unable to reproduce this in any version.
Remediation
References
Related Vulnerabilities
Oracle Database Server CVE-2006-1870 Vulnerability (CVE-2006-1870)
WordPress Plugin Traffic Analyzer Cross-Site Scripting (3.3.2)
Internet Information Services Other Vulnerability (CVE-2001-0506)
WordPress Plugin YITH WooCommerce Frequently Bought Together Security Bypass (1.2.10)
Next.js Uncontrolled Recursion Vulnerability (CVE-2024-47831)