CVE-2021-36739
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache Portals | org.apache.portals.pluto.archetype:mvcbean-jsp-portlet-archetype 3.1.0 | affected |
Weaknesses
- CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Workarounds
If a project was generated from the affected maven archetype using a command like the following:
mvn archetype:generate
-DarchetypeGroupId=org.apache.portals.pluto.archetype
-DarchetypeArtifactId=mvcbean-jsp-portlet-archetype
-DarchetypeVersion=3.1.0
-DgroupId=com.mycompany
-DartifactId=com.mycompany.my.mvcbean.jsp.portlet
Then developers must fix the generated greeting.jspx file by escaping the rendered values submitted to the "First Name" and "Last Name" fields.
For example, change:
<span>${user.firstName} ${user.lastName}! </span>
To:
<span>${mvc.encoders.html(user.firstName)} ${mvc.encoders.html(user.lastName)}! </span>
Moving forward, all such projects should be generated from version 3.1.1 of the Maven archetype.
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.