This Metasploit module exploits a remote command execution vulnerability in Apache Struts versions < 2.3.16.2. This issue is caused because the ParametersInterceptor allows access to 'class' parameter which is directly mapped to getClass() method and allows ClassLoader manipulation, which allows remote attackers to execute arbitrary Java code via crafted parameters.
568fa33a2e2d5a30bbf04a28ef0440ffb1ef8efbbd4f569d313ce10a93ef7a01