Severity: moderate Description:
The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks. Mitigation: If a project was generated from the affected maven archetype using a command like the following: mvn archetype:generate \ -DarchetypeGroupId=org.apache.portals.pluto.archetype \ -DarchetypeArtifactId=mvcbean-jsp-portlet-archetype \ -DarchetypeVersion=3.1.0 \ -DgroupId=com.mycompany \ -DartifactId=com.mycompany.my.mvcbean.jsp.portlet Then developers must fix the generated greeting.jspx file by escaping the rendered values submitted to the "First Name" and "Last Name" fields. For example, change: ${user.firstName} ${user.lastName}! To: ${mvc.encoders.html(user.firstName)} ${mvc.encoders.html(user.lastName)}! Moving forward, all such projects should be generated from version 3.1.1 of the Maven archetype.