Apache Struts 2.x to 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted ‘action:’, ‘redirect:’, or ‘redirectAction:’ prefix.
This mechanism was intended to help with attaching navigational information to buttons within forms.
No source data