Vulnerabilities

CVE-2014-0116

by Fred · 08/05/2014

CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.

Date published : 2014-05-08

http://www.securityfocus.com/bid/67218

http://struts.apache.org/release/2.3.x/docs/s2-022.html

Similar

Tags: Cybersecurity Alert