Vulnerability

CVE-2016-3082

 Report advisory or correction

CVSS Score 9.8 critical

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-20

References

http://struts.apache.org/docs/s2-031.html
https://tools.cisco.com/security/center/viewAlert.x?alertId=44804
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3082

[CVE-2016-3082] CWE-20: Improper Input Validation

Description

XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.

See opensymphony/webwork package information