CVE - CVE-2013-4212

CVE-ID
CVE-2013-4212	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Certain getText methods in the ActionSupport controller in Apache Roller before 5.0.2 allow remote attackers to execute arbitrary OGNL expressions via the first or second parameter, as demonstrated by the pageTitle parameter in the !getPageTitle sub-URL to roller-ui/login.rol, which uses a subclass of UIAction, aka "OGNL Injection."
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:http://rollerweblogger.org/project/entry/apache_roller_5_0_2 EXPLOIT-DB:29859 URL:http://www.exploit-db.com/exploits/29859 MISC:http://security.coverity.com/advisory/2013/Oct/remote-code-execution-in-apache-roller-via-ognl-injection.html OSVDB:100342 URL:http://www.osvdb.org/100342 SECUNIA:55862 URL:http://secunia.com/advisories/55862 SECUNIA:55877 URL:http://secunia.com/advisories/55877 XF:apache-roller-cve20134212-command-exec(89239) URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/89239
Assigning CNA
Red Hat, Inc.
Date Record Created
20130612	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20130612)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)