The following security bulletins are available:
- S2-001 — Remote code exploit on form validation error
- S2-002 — Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags
- S2-003 — XWork ParameterInterceptors bypass allows OGNL statement execution
- S2-004 — Directory traversal vulnerability while serving static content
- S2-005 — XWork ParameterInterceptors bypass allows remote command execution
- S2-006 — Multiple Cross-Site Scripting (XSS) in XWork generated error pages
- S2-007 — User input is evaluated as an OGNL expression when there's a conversion error
- S2-008 — Multiple critical vulnerabilities in Struts2
- S2-009 — ParameterInterceptor vulnerability allows remote command execution
- S2-010 — When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes
- S2-011 — Long request parameter names might significantly promote the effectiveness of DOS attacks