Apache Pluto vulnerabilities

CVE-2021-36739 [MEDIUM] CWE-79 CVE-2021-36739: The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetyp The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks.

CVE-2021-36737 [MEDIUM] CWE-79 CVE-2021-36737: The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) att The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the v3-demo-portlet.war artifact

CVE-2021-36738 [MEDIUM] CWE-79 CVE-2021-36738: The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact

CVE-2020-15250 [MEDIUM] CWE-200 CVE-2020-15250: In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local informa In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users

CVE-2019-0186 [MEDIUM] CWE-79 CVE-2019-0186: The input fields of the Apache Pluto "Chat Room" demo portlet 3.0.0 and 3.0.1 are vulnerable to Cros The input fields of the Apache Pluto "Chat Room" demo portlet 3.0.0 and 3.0.1 are vulnerable to Cross-Site Scripting (XSS) attacks. Mitigation: * Uninstall the ChatRoomDemo war file - or - * migrate to version 3.1.0 of the chat-room-demo war file

CVE-2018-1306 [HIGH] CWE-200 CVE-2018-1306: The PortletV3AnnotatedDemo Multipart Portlet war file code provided in Apache Pluto version 3.0.0 co The PortletV3AnnotatedDemo Multipart Portlet war file code provided in Apache Pluto version 3.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to restrict path information provided during a file upload. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.