CVE-2021-36739: Cross-site Scripting in Apache Pluto

January 8, 2022 (updated May 22, 2025)

The “first name” and “last name” fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks.

References

github.com/advisories/GHSA-3qp6-m7hp-jrwf
github.com/apache/portals-pluto
lists.apache.org/thread/m5j87nn1lmvzp8b9lmh7gqq68g5lnb7p
nvd.nist.gov/vuln/detail/CVE-2021-36739

Code Behaviors & Features

Detect and mitigate CVE-2021-36739 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →