CVE-2013-1966: struts2: remote command execution due to flaw in the includeParams attribute of URL and Anchor tags

Severity: Critical

CVSS Score: 9.3

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.