Description
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
Affected Software:
Struts 2.0.0 - Struts 2.3.15
Remediation
Developers should immediately upgrade to Struts 2.3.15.1
References
Related Vulnerabilities
WordPress Plugin BackWPup Remote and Local Code Execution (1.6.1)
WordPress Plugin Jekyll Exporter Remote Code Execution (2.2.0)
WordPress Plugin Divi Builder PHP Code Injection (4.0.9)
WordPress Plugin Export Users to CSV CSV Injection (1.1.1)
TYPO3 Improper Input Validation Vulnerability (CVE-2010-3716)