ListSERV Maestro <= 9.0-8 RCE Vulnerability CVE-2010-1870 Scanner Detail
In ListSERV Maestro <= 9.0-8, there is a Remote Code Injection vulnerability.
The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 220.127.116.11, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.
Some Advice for Common Problems
- You need to apply related fixes.
- Sanitize all parameters received as input from the user.