GHSA-2PPP-XJ34-VVF7 Apache Struts's CookieInterceptor component does not use the parameter-name whitelist
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method...