A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Remote command execution
Maximum security rating
Developers should immediately upgrade to Struts 184.108.40.206
Struts 2.0.0 - Struts 2.3.15
Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.