CVE-2013-2248

Name of the Vulnerable Software and Affected Versions Apache Struts versions 2.0.0 through 2.3.15

Description The issue is related to the implementation of the DefaultActionMapper mechanism in Apache Struts, which is associated with insufficient input validation when processing parameters with the redirect: or redirectAction: prefix. This can be exploited by remote attackers to conduct phishing attacks via a specially crafted URL. The vulnerability allows attackers to redirect users to arbitrary web sites.

Recommendations For Apache Struts versions 2.0.0 through 2.3.15, consider updating to a version that contains a fix for this issue, as the current version allows for easy manipulation of the information following the redirect: or redirectAction: prefix to redirect to an arbitrary location. At the moment, there is no information about a newer version that contains a fix for this vulnerability.