You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@portals.apache.org by Neil Griffin <as...@apache.org> on 2022/01/05 23:35:17 UTC
CVE-2021-36739: Apache Portals: XSS vulnerability in the MVCBean JSP portlet maven archetype
Severity: moderate
Description:
The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean
JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS)
attacks.
Mitigation:
If a project was generated from the affected maven archetype using a
command like the following:
mvn archetype:generate \
-DarchetypeGroupId=org.apache.portals.pluto.archetype \
-DarchetypeArtifactId=mvcbean-jsp-portlet-archetype \
-DarchetypeVersion=3.1.0 \
-DgroupId=com.mycompany \
-DartifactId=com.mycompany.my.mvcbean.jsp.portlet
Then developers must fix the generated greeting.jspx file by escaping the
rendered values submitted to the "First Name" and "Last Name" fields.
For example, change:
${user.firstName} ${user.lastName}!
To:
${mvc.encoders.html(user.firstName)}
${mvc.encoders.html(user.lastName)}!
Moving forward, all such projects should be generated from version 3.1.1 of
the Maven archetype.