Summary
Excerpt |
---|
A vulnerability , present in the includeParams attribute of the introduced by forcing parameter inclusion the URL and Anchor Tag , allows remote command execution, session access and manipulation and XSS attacks |
Who should read this | All Struts 2 developers |
---|---|
Impact of vulnerability | Remote command execution, remote server context manipulation, injection of malicious client side code |
Maximum security rating | High Highly Critical |
Recommendation | Developers should immediately upgrade to Struts 2.3.14.12 |
Affected Software | Struts 2.0.0 - Struts 2.3.14.1 |
Reporter | The Struts Eric Kobrin and Douglas Rodrigues (Akamai), NSFOCUS Security Team |
CVE Identifier |
Problem
Both the s:url and s:a tag provide an includeParams attribute.
...