ProblemThe excluded parameter pattern introduced in version 2.3.16.1 to block access to getClass() method wasn't sufficient. It is possible to omit that with specially crafted requests. Also CookieInterceptor is vulnerable for the same kind of attack when it was configured to accept all cookies (when "*" is used to configure cookiesName param). SolutionIn Struts 2.3.20 improved "class" pattern was