An unauthenticated remote code execution vulnerability was found in the LISTSERV Maestro software, versions 9.0-8 and below. This vulnerability stems from a known issue in struts, CVE-2010-1870, that allows for code execution via OGNL Injection. This vulnerability has been confirmed to be exploitable in both the Windows and Linux version of the software and has existed in the LISTSERV Maestro software since at least version 8.1-5. As a result, a specially crafted HTTP request can be constructed that executes code in the context of the web application. Exploitation of this vulnerability does not require authentication and can lead to root level privilege on any system running the LISTServ Maestro services.
47ea69c299460db10d186131b9f1c65c7396d9a132d29b4816b4093286ef4a74
Cisco Security Advisory - Multiple Cisco products include an implementation of the Apache Struts 2 component that is affected by a remote command execution vulnerability identified by Apache with Common Vulnerabilities and Exposures ID CVE-2010-1870. The vulnerability is due to insufficient sanitization on user-supplied input in the XWorks component of the affected software. The component uses the ParameterInterceptors directive to parse the Object-Graph Navigation Language (OGNL) expressions that are implemented via a whitelist feature. An attacker could exploit this vulnerability by sending crafted requests that contain OGNL expressions to an affected system. An exploit could allow the attacker to execute arbitrary code on the targeted system. Cisco has released free software updates that address this vulnerability for all the affected products except Cisco Business Edition 3000 Series. Customers using Cisco Business Edition 3000 Series should contact their Cisco representative for available options.
6f91bfcb2757700348af79660ac6a9766a00f19b2b4bea8903dbb44b21d05b81
This Metasploit module exploits a remote command execution vulnerability in Apache Struts versions < 2.2.0. This issue is caused by a failure to properly handle unicode characters in OGNL extensive expressions passed to the web server. By sending a specially crafted request to the Struts application it is possible to bypass the "#" restriction on ParameterInterceptors by using OGNL context variables. Bypassing this restriction allows for the execution of arbitrary Java code.
f3dc9c6ae8fc8270cc4ef71f82c223ad04ea9e8725f94ee4894465c9a0bfbc4b
VMware Security Advisory 2011-0005 - A vulnerability in VMware vCenter Orchestrator(vCO) could allow remote execution.
3ca6a1a98436c002d49e384bd7ac183f99f4e5f750a733bc1a9762d4b4d6c4a2
Struts2/XWork suffers from a remote command execution vulnerability.
4bfaf1025cecb689d125b743ac0333bad9a7f8606514866a6849cf570bfdb557