Eric Kobrin

**Name of the Vulnerable Software and Affected Versions** Apache Struts versions prior to 2.3.14.2 **Description** The issue is related to incorrect code generation management when handling the includeParams attribute, allowing a remote attacker to execute arbitrary code by sending a specially crafted request. This can lead to remote command execution, session access and manipulation, and XSS attacks. The `includeParams` attribute in the `s:url` and `s:a` tags is used to determine whether to include HTTP request parameters or not, with allowed values being `none`, `get`, or `all`. A specially crafted request parameter can inject arbitrary OGNL code into the stack, which is then evaluated as an OGNL expression, enabling method execution and bypassing Struts and OGNL library protections. **Recommendations** For Apache Struts versions prior to 2.3.14.2, update to version 2.3.14.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `includeParams` attribute in the `s:url` and `s:a` tags to minimize the risk of exploitation. Avoid using the `all` value for the `includeParams` attribute, and instead use `none` or `get` to limit the inclusion of request parameters.