CVE-2013-2248
Open redirect in Apache Struts
Description
The Struts 2 DefaultActionMapper used to support a method for short-circuit navigation state changes by prefixing parameters with "redirect:" or "redirectAction:", followed by a desired redirect target expression. This mechanism was intended to help with attaching navigational information to buttons within forms. Attackers could use this to redirect to arbitrary web sites and conduct phishing attacks. In Struts 2 before 2.3.15.1 the information following "redirect:" or "redirectAction:" can easily be manipulated to redirect to an arbitrary location.
How to fix CVE-2013-2248
To remediate CVE-2013-2248, upgrade the affected package to a fixed version below.
- —upgrade to 2.3.15.1 or later
Is CVE-2013-2248 being exploited?
Likely — EPSS is 92.0%, placing CVE-2013-2248 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (1)
- from 0, < 2.3.15.1