You are viewing a plain text version of this content. The canonical link for it is here.

Posted to general@portals.apache.org by Neil Griffin <as...@apache.org> on 2022/01/05 23:35:17 UTC

CVE-2021-36739: Apache Portals: XSS vulnerability in the MVCBean JSP portlet maven archetype

Severity: moderate

Description:

The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean
JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS)
attacks.

Mitigation:

If a project was generated from the affected maven archetype using a
command like the following:

mvn archetype:generate \
     -DarchetypeGroupId=org.apache.portals.pluto.archetype \
     -DarchetypeArtifactId=mvcbean-jsp-portlet-archetype \
     -DarchetypeVersion=3.1.0 \
     -DgroupId=com.mycompany \
     -DartifactId=com.mycompany.my.mvcbean.jsp.portlet

Then developers must fix the generated greeting.jspx file by escaping the
rendered values submitted to the "First Name" and "Last Name" fields.

For example, change:

     ${user.firstName} ${user.lastName}!

To:

     ${mvc.encoders.html(user.firstName)}
${mvc.encoders.html(user.lastName)}!

Moving forward, all such projects should be generated from version 3.1.1 of
the Maven archetype.