Description

A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals.

Remediation

Upgrade to Struts 2.5.12 or Struts 2.3.34

References

Security Bulletin S2-053

Related Vulnerabilities

WordPress Plugin All-in-One WP Migration Remote Code Execution (2.0.2)

Remote code execution vulnerability in WordPress Duplicator

WordPress Plugin Global Content Blocks PHP Code Execution and Information Disclosure Vulnerabilities (1.5.1)

Authentication bypass via MongoDB operator injection

ColdFusion JNDI injection RCE

Severity

High

Classification

CVE-2017-12611 CWE-94 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Code Execution Known Vulnerabilities Acumonitor