Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.
Time of Introduction
Technical Impact: Bypass protection
This mapping defines an action for a download form:
This mapping has disabled validation. Disabling validation exposes
this action to numerous types of attacks
Ensure that an action form mapping enables validation. Set the
validate field to true.
The Action Form mapping in the demonstrative example disables the form's
validate() method. The Struts bean: write tag automatically encodes special
HTML characters, replacing a < with "<" and a >
with ">". This action can be disabled by specifying
filter="false" as an attribute of the tag to disable specified JSP pages.
However, being disabled makes these pages susceptible to cross-site
scripting attacks. An attacker may be able to insert malicious scripts as
user input to write to these JSP pages.
the weakness exists independent of other weaknesses)