XWork ParameterInterceptors bypass (OGNL statement execution) (XW-641) ----------------------------------------------------------------------
Key: WW-2692 URL: https://issues.apache.org/struts/browse/WW-2692 Project: Struts 2 Issue Type: Bug Affects Versions: 2.1.2, 2.1.1, 2.1.0, 2.0.11.1, 2.0.11, 2.0.10, 2.0.9, 2.0.8, 2.0.7, 2.0.6, 2.0.5, 2.0.4, 2.0.3, 2.0.2, 2.0.1, 2.0.0 Reporter: Rene Gielen Assignee: Rene Gielen Priority: Critical Meder Kydyraliev of the Google Security Team reported a vulnerability to the XWork team that allows attackers to bypass security measures implemented in ParametersInterceptor to inject OGNL expressions. Since XWork is the foundation of Struts2, this must be considered a Struts2 vulnerability as well. For a full description, see http://jira.opensymphony.com/secure/ViewIssue.jspa?key=XW-641 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.