Struts support in OpenSymphony XWork prior to 1.2.3, and 2.x prior to 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote malicious users to cause a denial of service (infinite loop) or execute arbitrary code via form input beginning with a "%{" sequence and ending with a "}" character.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
opensymphony xwork |