Shinsaku Nomura

## Vulnerability Summary **Name of the Vulnerable Software and Affected Versions:** Apache Struts versions 2.0.0 through 2.3.37, 2.5.0 through 2.5.33, and 6.0.0 through 6.3.0.2. **Description** A critical flaw exists in the file upload logic of Apache Struts. An attacker can manipulate file upload parameters to enable path traversal, potentially leading to the upload of a malicious file and subsequent Remote Code Execution (RCE). Exploitation is actively occurring in the wild, with proof-of-concept exploits available. Successful exploitation could allow an attacker to install programs, view, change, or delete data, or create new accounts with full user rights, depending on the privileges of the affected service account. **Recommendations** Upgrade to version 6.4.0 or later and migrate to the new file upload mechanism. If utilizing a configuration that does not use the `FileUploadInterceptor`, the application is not vulnerable.

**Name of the Vulnerable Software and Affected Versions** Snow Monkey Forms versions v5.1.1 and earlier **Description** The issue allows a remote unauthenticated attacker to delete arbitrary files on the server due to a directory traversal vulnerability. **Recommendations** For Snow Monkey Forms versions v5.1.1 and earlier, update to a version later than v5.1.1 to resolve the issue.