CVE-2013-1966 Apache Struts Remote Code Execution Vulnerabilities (S2-013, S2-014)

The Apache Struts web framework is a free open source solution for creating Java web applications.

A vulnerability CVE-2013-1966 and CVE-2013-2115 exists due to Invalid handling of "includeParams" attribute, which leads to code execution by forcing parameter inclusion in the URL and Anchor Tag.

Affected Software:
Apache Struts versions 2.0.0 through 2.3.14.1 are vulnerable.

If successful, an attacker can manipulate server-side context objects with the privileges of the user running the application and execute arbitrary code.

Upgrade to the latest version of the Apache Struts 2 framework to fix this issue. For more details please refer to vendor advisory: S2-013, S2-014.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

Struts 2.3.14.3