Dustin Digmann

**Name of the Vulnerable Software and Affected Versions** Apache Struts versions prior to 2.2.3 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via an arbitrary parameter value to a `.action` URI. This is related to improper handling of value attributes in various component handlers, including `FileHandler.java`, `HiddenHandler.java`, `PasswordHandler.java`, `RadioHandler.java`, `ResetHandler.java`, `SelectHandler.java`, `SubmitHandler.java`, and `TextFieldHandler.java`. **Recommendations** For versions prior to 2.2.3, update to version 2.2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `.action` URI to minimize the risk of exploitation. Avoid using arbitrary parameter values in the affected URI until the issue is resolved.