CVE-2013-6348 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6348): Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (2) showConfig.action in config-browser/.
Looks like addressed in 2.3.16 as part of upstream. https://issues.apache.org/jira/browse/WW/fixforversion/12324546
This package has been removed, along with all the struts related ebuilds. See bug 540888.
GLSA Vote: No
Since no glsa for XSS, closing this