Vulnerability: - Title: Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products - ID: cisco-sa-20131023-struts2 - Severity: Critical - CVSS Base Score: 10.0 - CVE ID: CVE-2013-2251 - CWE ID: CWE-20 Affected Products: - Cisco Business Edition 3000 - Cisco Identity Services Engine (ISE) - Cisco Media Experience Engine (MXE) 3500 Series - Cisco Unified SIP Proxy (Cisco Unified SP) - Cisco Unified Contact Center Enterprise (Cisco Unified CCE) and Cisco Packaged Contact Center Enterprise (Cisco PCCE) Source of the Vulnerability: - Insufficient sanitization of user-supplied input in the DefaultActionMapper component Exploitation: - Vulnerability has been publicly disclosed and exploit code is available Workarounds: None available Fixed Software: - Specific fixed releases are provided for affected products, except Cisco Business Edition 3000 for which customers should contact Cisco TAC for options Source: - Kevin Ostrin from Security Metrics reported the vulnerability to Cisco