TL;DR a problem in deserializing untrusted data submitted via the REST plugin can result in remote code execution. CVE-2017-9805. All versions of Struts since 2008, fixed in today's release of 2.5.13 [1]. If you're using Java and receiving XML data, look really hard at this.
1 comment
[ 2.7 ms ] story [ 10.2 ms ] thread"A RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise XML requests" https://struts.apache.org/docs/s2-052.html
[1] https://struts.apache.org/announce.html#a20170905 for today's release announcement of 2.5.13 that fixes this plus two denial-of-service vulnerabilities.