cbcvebase.
CVE-2008-6504
published 2009-03-23

CVE-2008-6504: ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict…

PriorityP348medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
39.40%
98.4th percentile
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.

Affected

34 ranges· showing 25
VendorProductVersion rangeFixed in
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts

Detection & IOCsextracted from sources · hover to see the quote

  • Detect HTTP parameters containing Unicode-escaped pound sign (\u0023) used to bypass the '#' restriction in ParameterInterceptor and inject OGNL expressions
  • Monitor HTTP request parameters for OGNL context variable references such as #context, #_memberAccess, #root, #this, #_typeResolver, #_classResolver, #_traceEvaluations, #_lastEvaluation, #_keepLastEvaluation as indicators of exploitation attempts
  • ·CVE-2008-6504 affects OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2; the exploit payload using \u0023 to bypass '#' filtering is specific to these vulnerable versions
  • ·CVE-2008-6504 and CVE-2010-1870 are distinct vulnerabilities sharing the same ParameterInterceptor attack surface; detections should account for both bypass techniques (Unicode escape and permissive whitelist)

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.