Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.
{
"cpe": "cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.3.20.3"
},
{
"introduced": "2.3.21"
},
{
"last_affected": "2.3.24.1"
}
],
"source": "CPE_RANGE"
}