CVE-2020-13953: Apache Tapestry: URL manipulation allows Java webapp files inside WEB-INF to be listed and downloaded.
Vendor: The Apache Software Foundation Versions Affected: Tapestry 5.4.0 to 5.5.0 Description: Crafting specific URLs, an attacker can download files inside the WEB-INF folder. Mitigation: Upgrade to Apache Tapestry 5.6.0 or later. Credit: This issue was discovered by Thomas Moore. References: https://tapestry.apache.org/security.html -- Thiago