...
Action name clean up is error prone S2-035- Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution (similar to S2-029) S2-036
- Remote Code Execution can be performed when using REST Plugin S2-037
- It is possible to bypass token validation and perform a CSRF attack S2-038
- Getter as action method leads to security bypass S2-039
- Input validation bypass using existing default action method S2-040
- Possible DoS attack when using URLValidator S2-041
- Fixed all reported issues related to new version of the Apache Tiles, see WW-4622, WW-4623, WW-4624
MessageStoreInterceptorwas extended to support 3rd-partyRedirectResultsubclasses, see WW-4618EmailValidatorsupports.catdomain, see WW-4626- [WW-4608] - Json result type breaks
- [WW-4618] - MessageStorePreResultListener doesn't store messages for 3rd-party RedirectResult subclasses
- [WW-4622] - [struts2-tiles-plugin] [2.3.28] [StrutsWildcardServletTilesApplicationContext] getRealPath
- [WW-4623] - Multiple tiles.xml in web.xml
- [WW-4624] - New Tiles version can not find tiles*.xml files in sub-directories
- [WW-4626] - EmailValidator flags .cat emails as invalid
- [WW-4627] - Struts2 JSON Plugin: messages in fieldsErrors are serialized twice since jdk1.7_80
- [WW-4629] - Tile definition Inheritance/overriding is broken in Struts2 tiles plugin 2.3.28+
- [WW-4630] - <s:submit> generates a value attribute for type=image which violates W3C
- [WW-4633] - ClassCastException while generating report using Struts 2.3.28 and jasperreports 4.5.1and few other small improvements, please see the release notes
| Note |
|---|
This release contains fix fixe related to S2-028 S2-035, S2-036, S2-037, S2-038, S2-039, S2-029040 and S2-030041 security bulletins, please read it carefully! |
Issue Detail
Issue List
...