Description
The Apache Struts frameworks when forced, performs double evaluation of attributes' values assigned to certain tags so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
Remediation
Adding a proper validation of each value that's coming in and it's used in tag's attributes.
Don't use forced evaluation of an attribute other than value using %{...} syntax unless really needed for a valid use-case.
By upgrading to Struts 2.3.28, possible malicious effects of forced double evaluation are limited.
References
Related Vulnerabilities
WordPress 'wp-admin/options.php' Remote Code Execution Vulnerability (0.6.2 - 2.3.2)
IBM WebSphere RCE Java Deserialization Vulnerability
Reflected Cross-Site Scripting (XSS) vulnerability in PAN-OS management web interface
Oracle E-Business Suite Unauthenticated Remote Code Execution
WordPress Plugin WP-Live Chat by 3CX Remote Code Execution (7.0.01)