Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2019-0186

CVE-2019-0186:
Cross-site Scripting in Apache Pluto Chatroom demo

6.1

CVSS Score

Basic Information

CVE ID
CVE-2019-0186
GHSA ID
GHSA-w47g-4vrc-m3w2
EPSS Score
-
CWE
CWE-79
Published
5/24/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.portals.pluto:chatRoomDemomaven>= 3.0.0, < 3.1.03.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped output of user-controlled input fields in JSP rendering. While no direct code patches are shown, the exploit documentation and Apache's security advisory confirm the attack vector involves JSPs that display chat messages without proper encoding. The _jspService method in JSP-compiled servlets handles output generation, making it the runtime-visible function when malicious payloads are rendered.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** input *i*l*s o* t** *p**** Pluto "***t Room" **mo portl*t *.*.* *n* *.*.* *r* vuln*r**l* to *ross-Sit* S*riptin* (XSS) *tt**ks. Miti**tion: * Uninst*ll t** ***tRoom**mo w*r *il* - or - * mi*r*t* to v*rsion *.*.* o* t** ***t-room-**mo w*r *il*

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** output o* us*r-*ontroll** input *i*l*s in JSP r*n**rin*. W*il* no *ir**t *o** p*t***s *r* s*own, t** *xploit *o*um*nt*tion *n* *p****'s s**urity **visory *on*irm t** *tt**k v**tor involv*s JSPs t**t *ispl*y ***t