A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks. A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into the stack, afterward used as request parameter of an URL or A tag , which will cause a further evaluation.
The issue was originally addressed by Struts 22.214.171.124 and Security Announcement S2-013. However, the solution introduced with 126.96.36.199 did not address all possible attack vectors, such that every version of Struts 2 before 188.8.131.52 is still vulnerable to such attacks.
- It is strongly recommended to upgrade to Struts 184.108.40.206, which contains the corrected OGNL and XWork library.