Paolo Perliti

**Name of the Vulnerable Software and Affected Versions** Apache Struts versions 2.x through 2.3.25 **Description** The issue arises from the lack of text sanitization in the Locale object constructed by I18NInterceptor, potentially allowing remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display. This could enable remote attackers to perform cross-site scripting attacks. **Recommendations** For versions prior to 2.3.25, update to version 2.3.25 or later to resolve the issue. For versions prior to 2.3.28, update to version 2.3.28 or later to resolve the issue. As a temporary workaround, consider disabling the I18NInterceptor function until a patch is available.