CVE-2015-2992

Name of the Vulnerable Software and Affected Versions Apache Struts versions prior to 2.3.20

Description The issue is related to a cross-site scripting (XSS) vulnerability in the implementation of the debug mode (devMode) in Apache Struts. This vulnerability can be exploited by a remote attacker to conduct inter-site script attacks. When the Struts2 debug mode is turned on, under certain conditions, an arbitrary script may be executed in the 'Problem Report' screen. Additionally, if JSP files are exposed to be accessed directly, it's possible to execute an arbitrary script.

Recommendations For versions prior to 2.3.20, turn off the debug mode in production setup to mitigate the risk. Always hide JSP files inside the WEB-INF folder or define dedicated security constraints to block access to raw JSP files. Consider upgrading to Struts 2.3.20 or higher if turning off debug mode is not possible.