Apache Struts 2 DefaultActionMapper redirect Remote Code Execution Exploit Update

The DefaultActionMapper class in Apache Struts2 supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:". The information contained in these prefixes is not properly sanitized before being evaluated as OGNL expressions on the server side, which allows remote attackers to execute arbitrary Java code on the server. This module exploits the vulnerability in any web application built on top of vulnerable versions of the Apache Struts 2 framework.
Exploit type: 
Vulnerabilty ID: 
CVE-2013-2251
Product Version: 
2013_R2
Released Date: 
Monday, October 28, 2013 - 00:00