...
- Action name clean up is error prone S2-035
- Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution (similar to S2-029) S2-036
- Remote Remote Code Execution can be performed when using REST Plugin S2-037
- It It is possible to bypass token validation and perform a CSRF attack S2-038
- Getter Getter as action method leads to security bypass S2-039
- Input Input validation bypass using existing default action method S2-040
- Possible DoS attack when using URLValidator S2-041
- [WW-4608] - Json result type breaks
- [WW-4618] - MessageStorePreResultListener doesn't store messages for 3rd-party RedirectResult subclasses
- [WW-4622] - [struts2-tiles-plugin] [2.3.28] [StrutsWildcardServletTilesApplicationContext] getRealPath
- [WW-4623] - Multiple tiles.xml in web.xml
- [WW-4624] - New Tiles version can not find tiles*.xml files in sub-directories
- [WW-4626] - EmailValidator flags .cat emails as invalid
- [WW-4627] - Struts2 JSON Plugin: messages in fieldsErrors are serialized twice since jdk1.7_80
- [WW-4629] - Tile definition Inheritance/overriding is broken in Struts2 tiles plugin 2.3.28+
- [WW-4630] - <s:submit> generates a value attribute for type=image which violates W3C
- [WW-4633] - ClassCastException while generating report using Struts 2.3.28 and jasperreports 4.5.1
...