Home > Security Bulletins

The following security bulletins are available:

  • S2-001Remote code exploit on form validation error
  • S2-002Cross site scripting (XSS) vulnerability on and tags
  • S2-003XWork ParameterInterceptors bypass allows OGNL statement execution
  • S2-004Directory traversal vulnerability while serving static content
  • S2-005XWork ParameterInterceptors bypass allows remote command execution
  • S2-006Multiple Cross-Site Scripting (XSS) in XWork generated error pages
  • S2-007User input is evaluated as an OGNL expression when there's a conversion error
  • S2-008Multiple critical vulnerabilities in Struts2
  • S2-009ParameterInterceptor vulnerability allows remote command execution
  • S2-010When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes
  • S2-011Long request parameter names might significantly promote the effectiveness of DOS attacks
  • S2-012Showcase app vulnerability allows remote command execution
  • S2-013A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution
  • S2-014A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks
  • S2-015A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.
  • S2-016A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution
  • S2-017A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects
  • S2-018Broken Access Control Vulnerability in Apache Struts2
  • S2-019Dynamic Method Invocation disabled by default
  • S2-020Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
  • S2-021Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation
  • S2-022Extends excluded params in CookieInterceptor to avoid manipulation of Struts' internals