CVE-2021-36737Cross-site Scripting in Apache Pluto

CWE-79Cross-site Scripting4 documents4 sources
Severity
6.1MEDIUMNVD
EPSS
10.4%
top 6.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache PlutoApache Software Foundation Apache Portals
Timeline
PublishedJan 6
Latest updateJan 8

Description

The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the v3-demo-portlet.war artifact

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDapache/pluto< 3.1.1
CVEListV5apache_software_foundation/apache_portalsorg.apache.portals.pluto.demo:v3-demo-portlet 3.1.0, org.apache.portals.pluto:PortletV3Demo 3.0.0, org.apache.portals.pluto:PortletV3Demo 3.0.1+2

🔴Vulnerability Details

3
OSV
Cross-site Scripting in Apache Pluto2022-01-08
GHSA
Cross-site Scripting in Apache Pluto2022-01-08
CVEList
XSS in V3 Demo Portlet2022-01-06
CVE-2021-36737 — Cross-site Scripting in Apache Pluto | cvebase