CVE-2018-8032

MEDIUM

Apache Axis <= 1.4 - Cross-Site Scripting in Default Servlet

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-8032. PoCs published by cairuojin.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2018-8032, which is a deserialization vulnerability in Apache Axis. The exploit leverages the AdminClientTask to execute arbitrary commands via malicious serialized data.

Description

Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.

Exploits (1)

nomisec WORKING POC

by cairuojin · poc

https://github.com/cairuojin/CVE-2018-8032

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2018-8032, which is a deserialization vulnerability in Apache Axis. The exploit leverages the AdminClientTask to execute arbitrary commands via malicious serialized data.

Classification

Working Poc 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Apache Axis 1.4

No auth needed

Prerequisites: Network access to the target Apache Axis server · Ability to send crafted serialized data to the AdminClientTask endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (15)

Core 15

Core References

Issue Tracking, Patch, Vendor Advisory

https://issues.apache.org/jira/browse/AXIS-2924

Third Party Advisory

https://www.oracle.com/security-alerts/cpuApr2021.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2020.html

Patch, Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2020.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch, Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Vendor Advisory

https://security.netapp.com/advisory/ntap-20240621-0006/

Vendor Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Various Sources mailing-list

http://mail-archives.apache.org/mod_mbox/axis-java-dev/201807.mbox/%3CJIRA.13170716.1531060536000.93536.1531060560060%40Atlassian.JIRA%3E

Mailing List mailing-list

https://lists.apache.org/thread.html/d06ed5e4eeb77d00e8d594ec01ee8ee1cba173a01ac4b18f1579d041%40%3Cjava-dev.axis.apache.org%3E

Mailing List mailing-list

https://lists.apache.org/thread.html/3b89bc9e9d055db7eba8835ff6501f3f5db99d2a0928ec0be9b1d17b%40%3Cjava-dev.axis.apache.org%3E

Mailing List, Third Party Advisory mailing-list

https://lists.debian.org/debian-lts-announce/2021/11/msg00015.html

Scores

CVSS v3 6.1

EPSS 0.0171

EPSS Percentile 82.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (50)

apache/axis 1.0 - 1.4

axis/axis 0Maven

debian/debian_linux 9.0

oracle/agile_engineering_data_management 6.2.1.0

oracle/agile_product_lifecycle_management 9.3.3

oracle/application_testing_suite 13.2.0.1

oracle/application_testing_suite 13.3.0.1

oracle/big_data_discovery 1.6

oracle/communications_asap_cartridges 7.2

oracle/communications_asap_cartridges 7.3

... and 40 more

Published Aug 02, 2018

Tracked Since Feb 18, 2026