XSLTResult can be used to parse arbitrary stylesheet
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Possible Remote Code Execution
Maximum security rating
Struts 2.0.0 - Struts Struts 2.3.28 (except 126.96.36.199 and 188.8.131.52)
GENXOR - genxors at gmail dot com - Qihoo 360 SkyEye Lab
XSLTResult allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code.
Always validate type and content of uploaded files. We encourage you to upgrade to one of the versions of the Apache Struts presented above.
No issues expected when upgrading to Struts 184.108.40.206, 220.127.116.11 and 18.104.22.168
Implement your own
XSLTResult based on code of the recommended versions.