Let's say there is an action (myAction.action) that serves a JSP Page with the following snippet:
<a href="<s:url includeParams="all"/>">My Link</a>
This is very similiar to the vulnerability in Security Bulletin S2-002; however, the implemented fix for S2-002 only checks for "<script>", not "<sCript>".
I attached a possible fix as a patch. Essentially, both the key and value for a parameter must be escaped when creating the query string in UrlHelper.java.