XSLTResultcan be used to parse arbitrary stylesheet
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Possible Remote Code Execution
Maximum security rating
Struts 2.0.0 - Struts Struts 2.3.28 (except 220.127.116.11 and 18.104.22.168)
GENXOR - genxors at gmail dot com - Qihoo 360 SkyEye Lab
XSLTResult allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code.
Always validate type and content of uploaded files. We encourage you to upgrade to one of the versions of the Apache Struts presented above.
No issues expected when upgrading to Struts 22.214.171.124, 126.96.36.199 and 188.8.131.52
Implement your own
XSLTResult based on code of the recommended versions.