CVE-2013-1966

Name of the Vulnerable Software and Affected Versions Apache Struts 2 versions prior to 2.3.14.2

Description The issue is related to the incorrect handling of the includeParams attribute in the URL or A tag, allowing remote attackers to execute arbitrary OGNL code via a crafted request. This is due to a flaw in the implementation of the OGNL (Object-Graph Navigation Language) expression language class. Exploitation of this issue can enable a remote attacker to execute arbitrary code by sending a specially crafted request.

Recommendations For Apache Struts 2 versions prior to 2.3.14.2, update to version 2.3.14.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the includeParams attribute in the URL or A tag to minimize the risk of exploitation.