CVE-2021-36737

Summary

The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the v3-demo-portlet.war artifact

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Portalsorg.apache.portals.pluto:PortletV3Demo 3.0.0affected
Apache Software FoundationApache Portalsorg.apache.portals.pluto:PortletV3Demo 3.0.1affected
Apache Software FoundationApache Portalsorg.apache.portals.pluto.demo:v3-demo-portlet 3.1.0affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Workarounds

  • Uninstall the v3-demo-portlet.war artifact -or-
  • Migrate to version 3.1.1 of the v3-demo-portlet.war artifact

ADP Enrichment

CVE Program Container

Additional References

References