Package Instance

Allows open redirects
Multiple open redirect vulnerabilities in this package allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the `redirect:` or `redirectAction:` prefix.

Code Injection
Apache Struts allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both `${}` and `%{}` sequences, which causes the OGNL code to be evaluated twice.

Remote command execution due to flaw in the includeParams attribute of URL and Anchor tags
This package allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the `includeParams` attribute in the URL or A tag.

Incomplete fix for ClassLoader manipulation via ParametersInterceptor
The `ParametersInterceptor` in this package allows remote attackers to `manipulate` the `ClassLoader` via the class parameter, which is passed to the getClass method.

Code Injection
Apache Struts 2 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.

XWork ParameterInterceptors bypass allows remote command execution
The OGNL extensive expression evaluation capability in this package as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive allowlist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the `#context`, `#_memberAccess`, `#root`, `#this`, `#_typeResolver`, `#_classResolver`, `#_traceEvaluations`, `#_lastEvaluation`, `#_keepLastEvaluation`, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.

Multiple XSS flaws in XWork
Multiple cross-site scripting (XSS) vulnerabilities in XWork allow remote attackers to inject arbitrary web script or HTML via vectors involving an action name, the action attribute of an s:submit element, or the method attribute of an `s:submit` element.

OGNL expression unexpected evaluation on conversion error
This package evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.

Long parameter name DoS
This package allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.

Broken Access Control Vulnerability
This package allows remote attackers to bypass access controls via a crafted action: `prefix`.

Remote command execution due to flaw in the includeParams attribute of URL and Anchor tags
This package allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the URL or A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.

CSRF protection bypass
The token check mechanism in this package does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute.