Files or Directories Accessible to External Parties
An attacker can manipulate file upload params to enable path traversal and under some circumstances, this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts versions prior to 2.5.33, and 6.x prior to 184.108.40.206.
CWE-552 - Files or Directories Accessible to External Parties
The product makes files or directories accessible to unauthorized actors, even though they should not be.