Out of Band Code Evaluation (Apache Struts 2)
Invicti identified a Remote Code Evaluation (Apache Struts 2) by capturing a DNS A request, which occurs when input data is run as code.
An attacker can send a specially crafted XML request to the application. The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Evaluation when deserializing the XML payloads.
Upgrade to Apache Struts version 2.5.13 or 2.3.34.