René Gielen

**Name of the Vulnerable Software and Affected Versions** Apache Struts versions 2.0.0 through 2.3.4 **Description** The issue is related to the implementation of the token check mechanism in Apache Struts, which does not properly validate the token name configuration parameter. This allows remote attackers to perform cross-site request forgery (CSRF) attacks. The exploitation of this issue can enable an attacker to execute unauthorized requests. **Recommendations** For Apache Struts versions 2.0.0 through 2.3.4, update to a version that properly validates the token name configuration parameter to prevent CSRF attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Struts versions 2.0.0 through 2.3.4 **Description** The issue allows remote attackers to cause a denial of service, specifically CPU consumption, by sending specially crafted requests with very long parameter names, which are processed as OGNL expressions. This is related to insufficient access controls in the Apache Struts platform. **Recommendations** For Apache Struts versions 2.0.0 through 2.3.4, consider restricting access to parameters that could be used to cause a denial of service, or apply configuration changes to limit the processing of long parameter names as OGNL expressions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.