CVE-2021-36739

Summary

The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Portalsorg.apache.portals.pluto.archetype:mvcbean-jsp-portlet-archetype 3.1.0affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Workarounds

If a project was generated from the affected maven archetype using a command like the following:

mvn archetype:generate
-DarchetypeGroupId=org.apache.portals.pluto.archetype
-DarchetypeArtifactId=mvcbean-jsp-portlet-archetype
-DarchetypeVersion=3.1.0
-DgroupId=com.mycompany
-DartifactId=com.mycompany.my.mvcbean.jsp.portlet

Then developers must fix the generated greeting.jspx file by escaping the rendered values submitted to the "First Name" and "Last Name" fields.

For example, change:

 <span>${user.firstName} ${user.lastName}! </span>

To:

 <span>${mvc.encoders.html(user.firstName)} ${mvc.encoders.html(user.lastName)}! </span>

Moving forward, all such projects should be generated from version 3.1.1 of the Maven archetype.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References