Test ID:	1.3.6.1.4.1.25623.1.0.800278
Category:	Web application abuses
Title:	Apache Struts Security Update (S2-002, S2-003)
Summary:	Apache Struts is prone to multiple vulnerabilities.
Description:	Summary: Apache Struts is prone to multiple vulnerabilities. Vulnerability Insight: - CVE-2008-6504: OGNL provides, among other features, extensive expression evaluation capabilities. The vulnerability allows a malicious user to bypass the '#'-usage protection built into the ParametersInterceptor, thus being able to manipulate server side context objects. - CVE-2008-6682: This flaw is due to improper sanitization of the user supplied input in '' and '' tag which doesn't encode the URL parameter when specified in the action attribute which causes XSS attacks. Vulnerability Impact: - CVE-2008-6504: Remote server context manipulation - CVE-2008-6682: Injection of malicious client side code Affected Software/OS: Apache Struts 2.0.0 through 2.1.8.1. Solution: Update to version 2.2.1 or later. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2008-6504 BugTraq ID: 32101 http://www.securityfocus.com/bid/32101 http://osvdb.org/49732 http://secunia.com/advisories/32495 http://secunia.com/advisories/32497 http://www.vupen.com/english/advisories/2008/3003 http://www.vupen.com/english/advisories/2008/3004 XForce ISS Database: xwork-parameterinterceptor-security-bypass(46328) https://exchange.xforce.ibmcloud.com/vulnerabilities/46328 Common Vulnerability Exposure (CVE) ID: CVE-2008-6682 BugTraq ID: 34686 http://www.securityfocus.com/bid/34686
Copyright	Copyright (C) 2009 Greenbone Networks GmbH

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.