...
Excerpt |
---|
|
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Possible Remote Code Execution |
Maximum security rating |
Moderate | |
Recommendation | Always validate type and content of uploaded files, do not expose them directly in your web application. Alternatively upgrade to Struts 2.3.20. |
---|
3 or Struts 2.3.28.1. | |
Affected Software | Struts 2.0.0 - Struts Struts 2.3.28 (except 2.3.20. |
---|
3 and 2.3.24. |
3) | |
Reporter | GENXOR - genxors at gmail dot com - Qihoo 360 SkyEye Lab |
---|---|
CVE Identifier | CVE-2016-3082 |
Problem
XSLTResult
allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code.
...
No issues expected when upgrading to Struts 2.3.20.23, 2.3.24.2 3 and 2.3.28.1
Workaround
Implement your own XSLTResult
based on code of the recommended versions.