XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.Referenceshttp://www.securityfocus.com/bid/88826http://struts.apache.org/docs/s2-031.htmlhttp://www.securitytracker.com/id/1035664
