CVE-2015-5169

Name of the Vulnerable Software and Affected Versions Apache Struts versions prior to 2.3.20

Description The issue is related to a cross-site scripting (XSS) vulnerability. It is associated with the debug mode (devMode) of the Apache Struts platform, where the structure of web pages is not properly protected. This could allow a remote attacker to perform inter-site script attacks. The vulnerability can be exploited when the Struts2 debug mode is turned on under certain conditions, allowing an arbitrary script to be executed in the 'Problem Report' screen. Additionally, if JSP files are directly accessible, it is possible to execute an arbitrary script.

Recommendations For versions prior to 2.3.20, upgrade to Apache Struts 2.3.20 or higher. As a temporary workaround, consider turning off the debug mode in production setups. Restrict access to JSP files by hiding them inside the WEB-INF folder or defining dedicated security constraints to block access to raw JSP files.