Moderate severityNVD Advisory· Published Mar 23, 2009· Updated Apr 23, 2026
CVE-2008-6504
CVE-2008-6504
Description
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.opensymphony:xworkMaven | < 2.0.6 | 2.0.6 |
com.opensymphony:xworkMaven | >= 2.1.0, < 2.1.2 | 2.1.2 |
Affected products
20cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*
cpe:2.3:a:opensymphony:xwork:2.0.0:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:opensymphony:xwork:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:opensymphony:xwork:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:opensymphony:xwork:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:opensymphony:xwork:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:opensymphony:xwork:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:opensymphony:xwork:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:opensymphony:xwork:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:opensymphony:xwork:2.1.1:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
16- fisheye6.atlassian.com/cru/CR-9/nvdPatch
- issues.apache.org/struts/browse/WW-2692nvdExploitWEB
- jira.opensymphony.com/browse/XW-641nvdExploitWEB
- struts.apache.org/2.x/docs/s2-003.htmlnvdExploitWEB
- secunia.com/advisories/32495nvdVendor AdvisoryWEB
- secunia.com/advisories/32497nvdVendor AdvisoryWEB
- www.vupen.com/english/advisories/2008/3003nvdVendor AdvisoryWEB
- github.com/advisories/GHSA-wxw2-2mx5-c5qfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2008-6504ghsaADVISORY
- fisheye6.atlassian.com/cru/CR-9ghsaWEB
- web.archive.org/web/20081119232431/jira.opensymphony.com/browse/XW-641ghsaWEB
- web.archive.org/web/20130807023152/https://fisheye6.atlassian.com/cru/CR-9ghsaWEB
- www.securityfocus.com/bid/32101nvdWEB
- www.vupen.com/english/advisories/2008/3004nvdWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/46328nvdWEB
- osvdb.org/49732nvd
News mentions
0No linked articles in our index yet.