Problem: -------- A security vulnerability affecting all versions of Struts 2 before Struts 2.2.3 has been reported by Dr. Marian Ventuneac (Genworth). The vulnerability allows an attacker to inject malicious client side Javascript code in Struts 2 based applications that have Dynamic Method Invocation allowed (which is the default) AND do not have a global error handling page configured.
For further details, see: https://cwiki.apache.org/WW/s2-006.html https://issues.apache.org/jira/browse/WW-3579 Solution: --------- We advice all users of Struts 2 for all their Struts 2 based applications to either upgrade to Struts 2.2.3, which fixes the issue; it can be obtained from http://struts.apache.org/download.cgi#struts223 or disable Dynamic Method Invocation in struts.xml, as described in https://cwiki.apache.org/WW/s2-006.html or define a global error page in struts.xml, as described in https://cwiki.apache.org/WW/s2-006.html - The Apache Struts Team. -- René Gielen http://twitter.com/rgielen --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
