Apache Struts is a framework for building web applications.
Apache Struts on the target web application was found to be vulnerable to a remote code execution vulnerability as described in Security Bulletin S2-009. The assigned CVE ID is CVE-2011-3923.
The vulnerability exists due to regular expression in ParametersInterceptor matches top[‘foo’](0) as a valid expression, which OGNL treats as (top[‘foo’])(0) and evaluates the value of ‘foo’ action parameter as an OGNL expression.
Struts 2.0.0 – Struts 18.104.22.168
A remote attacker could exploit this vulnerability to execute arbitrary code.