Home > Security Bulletins

The following security bulletins are available:

  • S2-001Remote code exploit on form validation error
  • S2-002Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags
  • S2-003XWork ParameterInterceptors bypass allows OGNL statement execution
  • S2-004Directory traversal vulnerability while serving static content
  • S2-005XWork ParameterInterceptors bypass allows remote command execution
  • S2-006Multiple Cross-Site Scripting (XSS) in XWork generated error pages
  • S2-007User input is evaluated as an OGNL expression when there's a conversion error
  • S2-008Multiple critical vulnerabilities in Struts2
  • S2-009ParameterInterceptor vulnerability allows remote command execution
  • S2-010When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes
  • S2-011Long request parameter names might significantly promote the effectiveness of DOS attacks
  • S2-012Showcase app vulnerability allows remote command execution
  • S2-013A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution
  • S2-014A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks
  • S2-015A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.
  • S2-016A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution
  • S2-017A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects
  • S2-018Broken Access Control Vulnerability in Apache Struts2
  • S2-019Dynamic Method Invocation disabled by default
  • S2-020Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
  • S2-021Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation
  • S2-022Extends excluded params in CookieInterceptor to avoid manipulation of Struts' internals
  • S2-023Generated value of token can be predictable
  • S2-024Wrong excludeParams overrides those defined in DefaultExcludedPatternsChecker
  • S2-025Cross-Site Scripting Vulnerability in Debug Mode and in exposed JSP files
  • S2-026Special top object can be used to access Struts' internals
  • S2-027TextParseUtil.translateVariables does not filter malicious OGNL expressions
  • S2-028Use of a JRE with broken URLDecoder implementation may lead to XSS vulnerability in Struts 2 based web applications.
  • S2-029Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
  • S2-030Possible XSS vulnerability in I18NInterceptor
  • S2-031XSLTResult can be used to parse arbitrary stylesheet
  • S2-032Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled.
  • S2-033Remote Code Execution can be performed when using REST Plugin with ! operator when Dynamic Method Invocation is enabled.
  • S2-034OGNL cache poisoning can lead to DoS vulnerability
  • S2-035Action name clean up is error prone
  • S2-036Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution (similar to S2-029)
  • S2-037Remote Code Execution can be performed when using REST Plugin.
  • S2-038It is possible to bypass token validation and perform a CSRF attack
  • S2-039Getter as action method leads to security bypass
  • S2-040Input validation bypass using existing default action method.
  • S2-041Possible DoS attack when using URLValidator