[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 5 Jan 2022 18:35:17 -0500
From: Neil Griffin <asfgriff@...che.org>
To: general@...tals.apache.org, pluto-user@...tals.apache.org,
announce@...che.org, jetspeed-user@...tals.apache.org, security@...che.org,
oss-security@...ts.openwall.com
Subject: CVE-2021-36739: Apache Portals: XSS vulnerability in the MVCBean JSP
portlet maven archetype
Severity: moderate
Description:
The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean
JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS)
attacks.
Mitigation:
If a project was generated from the affected maven archetype using a
command like the following:
mvn archetype:generate \
-DarchetypeGroupId=org.apache.portals.pluto.archetype \
-DarchetypeArtifactId=mvcbean-jsp-portlet-archetype \
-DarchetypeVersion=3.1.0 \
-DgroupId=com.mycompany \
-DartifactId=com.mycompany.my.mvcbean.jsp.portlet
Then developers must fix the generated greeting.jspx file by escaping the
rendered values submitted to the "First Name" and "Last Name" fields.
For example, change:
${user.firstName} ${user.lastName}!
To:
${mvc.encoders.html(user.firstName)}
${mvc.encoders.html(user.lastName)}!
Moving forward, all such projects should be generated from version 3.1.1 of
the Maven archetype.
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
