The following security bulletins are available:
- S2-001 — Remote code exploit on form validation error
- S2-002 — Cross site scripting (XSS) vulnerability on and tags
- S2-003 — XWork ParameterInterceptors bypass allows OGNL statement execution
- S2-004 — Directory traversal vulnerability while serving static content
- S2-005 — XWork ParameterInterceptors bypass allows remote command execution
- S2-006 — Multiple Cross-Site Scripting (XSS) in XWork generated error pages
- S2-007 — User input is evaluated as an OGNL expression when there's a conversion error
- S2-008 — Multiple critical vulnerabilities in Struts2
- S2-009 — ParameterInterceptor vulnerability allows remote command execution
- S2-010 — When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes
- S2-011 — Long request parameter names might significantly promote the effectiveness of DOS attacks
- S2-012 — Showcase app vulnerability allows remote command execution
- S2-013 — A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution
- S2-014 — A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks
- S2-015 — A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.
- S2-016 — A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution
- S2-017 — A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects
- S2-018 — Broken Access Control Vulnerability in Apache Struts2
- S2-019 — Dynamic Method Invocation disabled by default
- S2-020 — Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
$page.link($child)
(Apache Struts 2 Documentation)
$page.link($child)
(Apache Struts 2 Documentation)
$page.link($child)
(Apache Struts 2 Documentation)
$page.link($child)
(Apache Struts 2 Documentation)
$page.link($child)
(Apache Struts 2 Documentation)
$page.link($child)
(Apache Struts 2 Documentation)
$page.link($child)
(Apache Struts 2 Documentation)
$page.link($child)
(Apache Struts 2 Documentation)
$page.link($child)
(Apache Struts 2 Documentation)
$page.link($child)
(Apache Struts 2 Documentation)
$page.link($child)
(Apache Struts 2 Documentation)
$page.link($child)
(Apache Struts 2 Documentation)
$page.link($child)
(Apache Struts 2 Documentation)
$page.link($child)
(Apache Struts 2 Documentation)
$page.link($child)
(Apache Struts 2 Documentation)
$page.link($child)
(Apache Struts 2 Documentation)
$page.link($child)
(Apache Struts 2 Documentation)
$page.link($child)
(Apache Struts 2 Documentation)
$page.link($child)
(Apache Struts 2 Documentation)
$page.link($child)
(Apache Struts 2 Documentation)