XSLTResultcan be used to parse arbitrary stylesheet
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Possible Remote Code Execution
Maximum security rating
Struts 2.0.0 - Struts Struts 2.3.28 (except 184.108.40.206 and 220.127.116.11)
GENXOR - genxors at gmail dot com - Qihoo 360 SkyEye Lab
XSLTResult allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code.
Always validate type and content of uploaded files. We encourage you to upgrade to one of the versions of the Apache Struts presented above.
No issues expected when upgrading to Struts 18.104.22.168, 22.214.171.124 and 126.96.36.199
Implement your own
XSLTResult based on code of the recommended versions.