Two weaknesses and multiple vulnerabilities have been reported in Apache Struts
Apache Struts 2.x
The vulnerabilities can be exploited by malicious people to conduct spoofing attacks and bypass certain security restrictions
1) Input passed via the "redirect:" and "redirectAction:" prefixing parameters is not properly verified in the DefaultActionMapper class (org.apache.struts2.dispatcher.mapper.DefaultActionMapper) before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to an affected script hosted on a trusted domain.
2) An input sanitization error when handling the "action:", "redirect:", and "redirectAction:" prefixing parameters in the DefaultActionMapper class (org.apache.struts2.dispatcher.mapper.DefaultActionMapper) can be exploited to e.g. inject and execute arbitrary Java code via OGNL (Object-Graph Navigation Language) expressions.
Vendor recommends updating to version 220.127.116.11