Description

A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals.

Remediation

Upgrade to Struts 2.5.12 or Struts 2.3.34

References

Security Bulletin S2-053

Related Vulnerabilities

WordPress Plugin PHP Speedy 'admin_container.php' Remote PHP Code Execution (0.5.2)

Drupal Core 8.x.x Remote Code Execution (8.0.0 - 8.4.8)

vBulletin 5.x 0day pre-auth RCE

Code execution

Flask debug mode

Severity

High

Classification

CVE-2017-12611 CWE-94 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Code Execution Known Vulnerabilities Acumonitor