Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 5 Jan 2022 18:35:17 -0500
From: Neil Griffin <>
Subject: CVE-2021-36739: Apache Portals: XSS vulnerability in the MVCBean JSP
 portlet maven archetype

Severity: moderate


The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean
JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS)


If a project was generated from the affected maven archetype using a
command like the following:

mvn archetype:generate \
     -DarchetypeGroupId=org.apache.portals.pluto.archetype \
     -DarchetypeArtifactId=mvcbean-jsp-portlet-archetype \
     -DarchetypeVersion=3.1.0 \
     -DgroupId=com.mycompany \

Then developers must fix the generated greeting.jspx file by escaping the
rendered values submitted to the "First Name" and "Last Name" fields.

For example, change:

     ${user.firstName} ${user.lastName}!



Moving forward, all such projects should be generated from version 3.1.1 of
the Maven archetype.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.