A Remote Code Execution vulnerability exists in Apache Struts2 when performing file upload based on Jakarta Multipart parser.
It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.
Affected versions: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10
- If you are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 220.127.116.11.
- WordPress 2.0.2 Username Remote PHP Code Injection Vulnerability (0.6.2 - 2.0.2)
- Drupal Core 4.6.x Arbitrary Code Execution (4.6.0 - 4.6.7)
- Multiple vulnerabilities reported in Parallels Plesk Sitebuilder
- Liferay version older than 7.0
- WordPress Plugin Ajax Search Lite Remote Command Execution (3.1)