...
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Possible Remote Code Execution |
Maximum security rating | Medium |
Recommendation | Always validate type and content of uploaded files, do not expose them directly in your web application. Alternatively upgrade to Struts 2.3.20.2, Struts 2.3.24.2 or Struts 2.3.28.1. |
Affected Software | Struts 2.0.0 - Struts Struts 2.3.28 (except 2.3.20.2 and 2.3.24.2) |
Reporter | GENXOR - genxors at gmail dot com - Qihoo 360 SkyEye Lab |
CVE Identifier | CVE-2016-3082 |
Problem
XSLTResult
can accept allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely execute arbitrary executable code.
Solution
Always validate type and content of uploaded files. We encourage you to upgrade to one of the versions of the Apache Struts presented above.
...