CVE-2021-36738

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

6.1MEDIUM

EPSS

10.4%

top 6.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Pluto Apache Software Foundation Apache Portals

Timeline

PublishedJan 6

Latest updateJan 8

Description

The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶NVDapache/pluto< 3.1.1

▶Mavenorg.apache.portals.pluto:pluto-portal< 3.1.1

▶CVEListV5apache_software_foundation/apache_portalsorg.apache.portals.pluto.demo:applicant-mvcbean-cdi-jsp-portlet 3.1.0

🔴Vulnerability Details

OSV

Cross-site Scripting in Apache Pluto↗2022-01-08

▶

GHSA

Cross-site Scripting in Apache Pluto↗2022-01-08

▶

CVEList

XSS vulnerability in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet↗2022-01-06

▶