Vulnerabilites related to Apache Software Foundation - Apache Pluto
cve-2018-1306
Vulnerability from cvelistv5
Published
2018-06-27 18:00
Modified
2024-09-16 18:49
Severity ?
EPSS score ?
Summary
The PortletV3AnnotatedDemo Multipart Portlet war file code provided in Apache Pluto version 3.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to restrict path information provided during a file upload. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/45396/ | exploit, x_refsource_EXPLOIT-DB | |
| http://portals.apache.org/pluto/security.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pluto |
Version: 3.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T03:59:38.562Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "45396", tags: [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred", ], url: "https://www.exploit-db.com/exploits/45396/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://portals.apache.org/pluto/security.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Pluto", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "3.0.0", }, ], }, ], datePublic: "2018-06-27T00:00:00", descriptions: [ { lang: "en", value: "The PortletV3AnnotatedDemo Multipart Portlet war file code provided in Apache Pluto version 3.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to restrict path information provided during a file upload. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.", }, ], problemTypes: [ { descriptions: [ { description: "Information Disclosure", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-02-20T19:57:01", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "45396", tags: [ "exploit", "x_refsource_EXPLOIT-DB", ], url: "https://www.exploit-db.com/exploits/45396/", }, { tags: [ "x_refsource_MISC", ], url: "http://portals.apache.org/pluto/security.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", DATE_PUBLIC: "2018-06-27T00:00:00", ID: "CVE-2018-1306", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Pluto", version: { version_data: [ { version_value: "3.0.0", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The PortletV3AnnotatedDemo Multipart Portlet war file code provided in Apache Pluto version 3.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to restrict path information provided during a file upload. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure", }, ], }, ], }, references: { reference_data: [ { name: "45396", refsource: "EXPLOIT-DB", url: "https://www.exploit-db.com/exploits/45396/", }, { name: "http://portals.apache.org/pluto/security.html", refsource: "MISC", url: "http://portals.apache.org/pluto/security.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2018-1306", datePublished: "2018-06-27T18:00:00Z", dateReserved: "2017-12-07T00:00:00", dateUpdated: "2024-09-16T18:49:31.524Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-0186
Vulnerability from cvelistv5
Published
2019-04-26 15:56
Modified
2024-08-04 17:44
Severity ?
EPSS score ?
Summary
The input fields of the Apache Pluto "Chat Room" demo portlet 3.0.0 and 3.0.1 are vulnerable to Cross-Site Scripting (XSS) attacks. Mitigation: * Uninstall the ChatRoomDemo war file - or - * migrate to version 3.1.0 of the chat-room-demo war file
References
| ▼ | URL | Tags |
|---|---|---|
| https://portals.apache.org/pluto/security.html | x_refsource_MISC | |
| http://mail-archives.apache.org/mod_mbox/portals-pluto-user/201904.mbox/%3CCAAqbB_ev=0KNgZmmNAq2=q11i1GYLGN6J-xCKx8Q8dbxZ4tZYg%40mail.gmail.com%3E | mailing-list, x_refsource_MLIST | |
| https://www.openwall.com/lists/oss-security/2019/04/25/8 | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/d093e6b0e5f9b3b50928255451afefd8f8fbdcd5bf28a726769a919a%40%3Cpluto-user.portals.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://www.exploit-db.com/exploits/46759/ | exploit, x_refsource_EXPLOIT-DB | |
| http://packetstormsecurity.com/files/152642/Apache-Pluto-3.0.0-3.0.1-Cross-Site-Scripting.html | x_refsource_MISC | |
| http://www.securityfocus.com/bid/108091 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Pluto |
Version: 3.0.0 Version: 3.0.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T17:44:14.644Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://portals.apache.org/pluto/security.html", }, { name: "[CVE-2019-0186] The input fields of the Chat Room demo are vulnerable to Cross-Site Scripting (XSS) attacks", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://mail-archives.apache.org/mod_mbox/portals-pluto-user/201904.mbox/%3CCAAqbB_ev=0KNgZmmNAq2=q11i1GYLGN6J-xCKx8Q8dbxZ4tZYg%40mail.gmail.com%3E", }, { name: "[CVE-2019-0186] The input fields of the Chat Room demo are vulnerable to Cross-Site Scripting (XSS) attacks", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://www.openwall.com/lists/oss-security/2019/04/25/8", }, { name: "[CVE-2019-0186] The input fields of the Chat Room demo are vulnerable to Cross-Site Scripting (XSS) attacks", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/d093e6b0e5f9b3b50928255451afefd8f8fbdcd5bf28a726769a919a%40%3Cpluto-user.portals.apache.org%3E", }, { name: "46759", tags: [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred", ], url: "https://www.exploit-db.com/exploits/46759/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/152642/Apache-Pluto-3.0.0-3.0.1-Cross-Site-Scripting.html", }, { name: "108091", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/108091", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Pluto", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "3.0.0", }, { status: "affected", version: "3.0.1", }, ], }, ], datePublic: "2019-04-25T00:00:00", descriptions: [ { lang: "en", value: "The input fields of the Apache Pluto \"Chat Room\" demo portlet 3.0.0 and 3.0.1 are vulnerable to Cross-Site Scripting (XSS) attacks. Mitigation: * Uninstall the ChatRoomDemo war file - or - * migrate to version 3.1.0 of the chat-room-demo war file", }, ], problemTypes: [ { descriptions: [ { description: "Cross-Site Scripting", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-04-29T10:06:01", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://portals.apache.org/pluto/security.html", }, { name: "[CVE-2019-0186] The input fields of the Chat Room demo are vulnerable to Cross-Site Scripting (XSS) attacks", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://mail-archives.apache.org/mod_mbox/portals-pluto-user/201904.mbox/%3CCAAqbB_ev=0KNgZmmNAq2=q11i1GYLGN6J-xCKx8Q8dbxZ4tZYg%40mail.gmail.com%3E", }, { name: "[CVE-2019-0186] The input fields of the Chat Room demo are vulnerable to Cross-Site Scripting (XSS) attacks", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://www.openwall.com/lists/oss-security/2019/04/25/8", }, { name: "[CVE-2019-0186] The input fields of the Chat Room demo are vulnerable to Cross-Site Scripting (XSS) attacks", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/d093e6b0e5f9b3b50928255451afefd8f8fbdcd5bf28a726769a919a%40%3Cpluto-user.portals.apache.org%3E", }, { name: "46759", tags: [ "exploit", "x_refsource_EXPLOIT-DB", ], url: "https://www.exploit-db.com/exploits/46759/", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/152642/Apache-Pluto-3.0.0-3.0.1-Cross-Site-Scripting.html", }, { name: "108091", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/108091", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2019-0186", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Pluto", version: { version_data: [ { version_value: "3.0.0", }, { version_value: "3.0.1", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The input fields of the Apache Pluto \"Chat Room\" demo portlet 3.0.0 and 3.0.1 are vulnerable to Cross-Site Scripting (XSS) attacks. Mitigation: * Uninstall the ChatRoomDemo war file - or - * migrate to version 3.1.0 of the chat-room-demo war file", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Cross-Site Scripting", }, ], }, ], }, references: { reference_data: [ { name: "https://portals.apache.org/pluto/security.html", refsource: "MISC", url: "https://portals.apache.org/pluto/security.html", }, { name: "[CVE-2019-0186] The input fields of the Chat Room demo are vulnerable to Cross-Site Scripting (XSS) attacks", refsource: "MLIST", url: "http://mail-archives.apache.org/mod_mbox/portals-pluto-user/201904.mbox/%3CCAAqbB_ev=0KNgZmmNAq2=q11i1GYLGN6J-xCKx8Q8dbxZ4tZYg@mail.gmail.com%3E", }, { name: "[CVE-2019-0186] The input fields of the Chat Room demo are vulnerable to Cross-Site Scripting (XSS) attacks", refsource: "MLIST", url: "https://www.openwall.com/lists/oss-security/2019/04/25/8", }, { name: "[CVE-2019-0186] The input fields of the Chat Room demo are vulnerable to Cross-Site Scripting (XSS) attacks", refsource: "MLIST", url: "https://lists.apache.org/thread.html/d093e6b0e5f9b3b50928255451afefd8f8fbdcd5bf28a726769a919a@%3Cpluto-user.portals.apache.org%3E", }, { name: "46759", refsource: "EXPLOIT-DB", url: "https://www.exploit-db.com/exploits/46759/", }, { name: "http://packetstormsecurity.com/files/152642/Apache-Pluto-3.0.0-3.0.1-Cross-Site-Scripting.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/152642/Apache-Pluto-3.0.0-3.0.1-Cross-Site-Scripting.html", }, { name: "108091", refsource: "BID", url: "http://www.securityfocus.com/bid/108091", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2019-0186", datePublished: "2019-04-26T15:56:48", dateReserved: "2018-11-14T00:00:00", dateUpdated: "2024-08-04T17:44:14.644Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }