...
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Manipulation of Struts' internals, altering of user sessionAffects of a cross-site scripting vulnerability. |
Maximum security rating | HighMedium |
Recommendation | Update regex used to excluded vulnerable incoming parameters. An Ugrade runtime JRE to a recent major version, preferably 1.8. Alternatively upgrade to Struts 2.3.24.1 is recommended.25 |
Affected Software | Struts 2.0.0 - Struts Struts 2.3.24.1 |
Reporter | rskvp93 at gmail dot com from Viettel Information Security CenterWhiteHat Security (whitehatsec.com) |
CVE Identifier | CVE-2015-5209 |
Problem
ValueStack defines special top
object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings
...