https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt

Vendor description:
-------------------
Apache Struts2 is a web framework for creating Java web applications. It is
using the OpenSymphony XWork and OGNL libraries. By default, XWork's
ParametersInterceptor treats parameter names provided to actions as OGNL
expressions. A OGNL (Object Graph Navigation Language) expression is a limited
language similar to Java that is tokenized and parsed by the OGNL parser which
invokes appropiate Java methods. This allows e.g. convenient access to
properties that have a getter/setter method implemented. By providing a
parameter like "product.id=1" the OGNL parser will call the appropiate setter
getProduct().setId(1) in the current action context. OGNL is also able to call
arbitrary methods, constructors and access context variables. For more details
please refer to http://commons.apache.org/ognl/language-guide.html.