oss-sec mailing list archives

CVE-2021-36738: XSS vulnerability in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet

From: Neil Griffin <asfgriff () apache org>
Date: Wed, 5 Jan 2022 18:32:51 -0500

Severity: moderate

Description:

The input fields in the JSP version of the Apache Pluto Applicant MVCBean
CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users
should migrate to version 3.1.1 of the
applicant-mvcbean-cdi-jsp-portlet.war artifact

Mitigation:

* Uninstall the applicant-mvcbean-cdi-jsp-portlet.war artifact
-or-
* Migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war
artifact

Current thread:

CVE-2021-36738: XSS vulnerability in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet Neil Griffin (Jan 05)