- Struts2, Java web framework, is vulnerable to remote commands execution due to a vulnerability in XWork's ParametersInterceptor, which is enabled by default in Struts2 and WebWork applications. The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 184.108.40.206, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables.
- Upgrade to Struts version 2.2.
- phpThumb() fltr parameter command injection vulnerability
- WordPress Plugin Social Media Tab Remote Code Execution (1.0.9)
- WordPress Plugin EWWW Image Optimizer Remote Code Execution (2.8.3)
- WordPress Plugin is_human() 'type' Parameter Remote Command Injection (1.4.2)
- WordPress Plugin WordPress Mobile Pack Information Disclosure (2.0.1)