oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2021-36739: Apache Portals: XSS vulnerability in the MVCBean JSP portlet maven archetype

From: Neil Griffin <asfgriff () apache org>
Date: Wed, 5 Jan 2022 18:35:17 -0500
Severity: moderate

Description:

The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean
JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS)
attacks.

Mitigation:

If a project was generated from the affected maven archetype using a
command like the following:

mvn archetype:generate \
     -DarchetypeGroupId=org.apache.portals.pluto.archetype \
     -DarchetypeArtifactId=mvcbean-jsp-portlet-archetype \
     -DarchetypeVersion=3.1.0 \
     -DgroupId=com.mycompany \
     -DartifactId=com.mycompany.my.mvcbean.jsp.portlet

Then developers must fix the generated greeting.jspx file by escaping the
rendered values submitted to the "First Name" and "Last Name" fields.

For example, change:

     ${user.firstName} ${user.lastName}!

To:

     ${mvc.encoders.html(user.firstName)}
${mvc.encoders.html(user.lastName)}!

Moving forward, all such projects should be generated from version 3.1.1 of
the Maven archetype.
Previous By Date Next
Previous By Thread Next

Current thread: