XSLTResultcan be used to parse arbitrary stylesheet
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Possible Remote Code Execution
Maximum security rating
Struts 2.0.0 - Struts Struts 2.3.28 (except 188.8.131.52 and 184.108.40.206)
GENXOR - genxors at gmail dot com - Qihoo 360 SkyEye Lab
XSLTResult allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code.
Always validate type and content of uploaded files. We encourage you to upgrade to one of the versions of the Apache Struts presented above.
No issues expected when upgrading to Struts 220.127.116.11, 18.104.22.168 and 22.214.171.124
Implement your own
XSLTResult based on code of the recommended versions.