MODERATE

faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces, allows Reflected XSS because a client window field is mishandled.
References

https://nvd.nist.gov/vuln/detail…

In Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the remember parameter on some of the JSPs, which could allow the attacker to execute javascript in …

Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file. The vulnerability is low if the Karaf process user has limited permission on the filesystem. Any Apa…

The input fields of the Apache Pluto “Chat Room” demo portlet 3.0.0 and 3.0.1 are vulnerable to Cross-Site Scripting (XSS) attacks. Mitigation: * Uninstall the ChatRoomDemo war file – or – * migrate to version 3.1.0 of the chat-room-demo war file
Refer…

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (2) showConfig.action in config-browser/.
References

…

The Struts 2 action mapping mechanism supports the special parameter prefix action: which is intended to help with attaching navigational information to buttons within forms, under certain conditions this can be used to bypass security constraints.
In…

Cross-site scripting (XSS) vulnerability in Apache Jetspeed before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to portal.
References

https://nvd.nist.gov/vuln/detail/CVE-2016-0712
https://mail-archives.apache…

When reading text nodes from an XML document, the REXML parser can be coerced in to allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service.
Jruby resolves this bug in version 1.7.3 as not…

The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
References

https://nvd.nist.gov/vuln/detail/CVE-2016-4465
https://bugzilla….

Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.
References

https://nvd.nist.gov/vuln/detail/CVE-2012-4387
https://exchange.xf…