The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Struts | Apache | 2.0.0 (including) | 2.3.1 (excluding) |