5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.015 Low
EPSS
Percentile
86.9%
The Struts 2 action mapping mechanism supports the special parameter prefix action: which is intended to help with attaching navigational information to buttons within forms, under certain conditions this can be used to bypass security constraints.
In Struts 2.3.15.3 the action mapping mechanism was changed to avoid circumventing security constraints. Two additional constants were introduced to steer behaviour of DefaultActionMapper:
CPE | Name | Operator | Version |
---|---|---|---|
org.apache.struts:struts2-core | lt | 2.3.15.3 |