...
Excerpt |
---|
Input validation bypass using existing default action method. |
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Possible manipulation of return result and bypassing validation |
Maximum security rating |
Moderate | |
Recommendation | Upgrade to Struts 2.3.29. |
---|---|
Affected Software | Struts 2.3.20 - Struts Struts 2.3.28.1 |
Reporter | Takeshi Terada websec02 dot g02 at gmail.com |
CVE Identifier | CVE-2016-4431 |
Problem
Using existing default method it can be possible to bypass internal security mechanism and manipulate return string which can leads to redirecting user to unvalidated location.
...