The security bulletin for CVE-2015-5169 ( https://struts.apache.org/docs/s2-025.html) only mentions Struts 2. Anyone know if the vulnerability also exists in Struts 1 in some form? I realize Struts 1.x are no longer supported and that is why the bulletin doesn't cover those releases. I grabbed the 1.3.10 code and searched for the devMode property (that property appears to be involved in the vulnerability) and did not find any refs. Searching for that property in 2.x yields lots of references and leads me to believe the devMode functionality was added in Struts 2. If so, then that is good but not conclusive evidence the vulnerability is not in Struts 1. I'd appreciate hearing any info others have on CVE-2015-5169 and Struts 1.
-Dave-