CVE-2021-36738 - Vulnerability Details - OpenCVE

The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Pluto

Configuration 1 [-]

cpe:2.3:a:apache:pluto:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://lists.apache.org/thread/11j19v1gjsk7o6o8nch1xrydow9b8lll

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-01-06T08:50:15

Updated: 2024-08-04T01:01:59.086Z

Reserved: 2021-07-14T00:00:00

Link: CVE-2021-36738

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-01-06T09:15:07.273

Modified: 2024-11-21T06:13:59.363

Link: CVE-2021-36738

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Apache Portals", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "org.apache.portals.pluto.demo:applicant-mvcbean-cdi-jsp-portlet 3.1.0"}]}], "descriptions": [{"lang": "en", "value": "The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact"}], "metrics": [{"other": {"content": {"other": "moderate"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-06T08:50:15", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/11j19v1gjsk7o6o8nch1xrydow9b8lll"}], "source": {"discovery": "UNKNOWN"}, "title": "XSS vulnerability in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet", "workarounds": [{"lang": "en", "value": "* Uninstall the applicant-mvcbean-cdi-jsp-portlet.war artifact\n-or-\n* Migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-36738", "STATE": "PUBLIC", "TITLE": "XSS vulnerability in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Portals", "version": {"version_data": [{"version_affected": "=", "version_name": "org.apache.portals.pluto.demo:applicant-mvcbean-cdi-jsp-portlet", "version_value": "3.1.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "moderate"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/11j19v1gjsk7o6o8nch1xrydow9b8lll", "refsource": "MISC", "url": "https://lists.apache.org/thread/11j19v1gjsk7o6o8nch1xrydow9b8lll"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "* Uninstall the applicant-mvcbean-cdi-jsp-portlet.war artifact\n-or-\n* Migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact"}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:01:59.086Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/11j19v1gjsk7o6o8nch1xrydow9b8lll"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-36738", "datePublished": "2022-01-06T08:50:15", "dateReserved": "2021-07-14T00:00:00", "dateUpdated": "2024-08-04T01:01:59.086Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:pluto:*:*:*:*:*:*:*:*", "matchCriteriaId": "0711079D-E43A-440A-A38F-2ACE1676653E", "versionEndExcluding": "3.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact"}, {"lang": "es", "value": "Los campos de entrada en la versi\u00f3n JSP de portlet MVCBean CDI de Apache Pluto Applicant son vulnerables a ataques de tipo Cross-Site Scripting (XSS). Los usuarios deben migrar a la versi\u00f3n 3.1.1 del artefacto applicant-mvcbean-cdi-jsp-portlet.war"}], "id": "CVE-2021-36738", "lastModified": "2024-11-21T06:13:59.363", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-06T09:15:07.273", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/11j19v1gjsk7o6o8nch1xrydow9b8lll"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/11j19v1gjsk7o6o8nch1xrydow9b8lll"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}