Apache Software Foundation Apache Portals vulnerabilities

CVE-2022-32533 [CRITICAL] CWE-79 CVE-2022-32533: Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number o Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option "xss.filter.post = true" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue

CVE-2021-36739 [MEDIUM] CWE-79 CVE-2021-36739: The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetyp The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks.

CVE-2021-36737 [MEDIUM] CWE-79 CVE-2021-36737: The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) att The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the v3-demo-portlet.war artifact

CVE-2021-36738 [MEDIUM] CWE-79 CVE-2021-36738: The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact