Muthukumar Marikani

**Name of the Vulnerable Software and Affected Versions** Apache Commons BeanUtils versions 1.x before 1.11.0 Apache Commons BeanUtils versions 2.x before 2.0.0-M2 **Description** The issue is related to improper access control in Apache Commons BeanUtils, where an attacker can access the enum's class loader via the `declaredClass` property available on all Java enum objects. This allows remote attackers to access the ClassLoader and execute arbitrary code. The vulnerability exists when accessing enum properties in an uncontrolled way, specifically through the `getProperty()` method of `PropertyUtilsBean` or `PropertyUtilsBean.getNestedProperty()`. A special `BeanIntrospector` class was added to suppress the `declaredClass` property, which is enabled by default in versions 1.11.0 and 2.0.0-M2. **Recommendations** For Apache Commons BeanUtils versions 1.x before 1.11.0, upgrade to version 1.11.0 to fix the issue. For Apache Commons BeanUtils versions 2.x before 2.0.0-M2, upgrade to version 2.0.0-M2 to fix the issue. As a temporary workaround, consider disabling the `declaredClass` property access until a patch is available. Restrict access to the `getProperty()` method of `PropertyUtilsBean` and `PropertyUtilsBean.getNestedProperty()` to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Apache Roller versions prior to 5.2.3 Description: A Reflected Cross-site Scripting (XSS) issue exists due to improper sanitization of user input by Roller's Math Comment Authenticator, allowing for Reflected Cross Site Scripting (XSS) exploitation. Recommendations: For versions prior to 5.2.3, upgrade to the latest version of Roller, which is now Roller 5.2.3.

Name of the Vulnerable Software and Affected Versions: Apache JSPWiki versions 2.9.0 through 2.11.0.M2 Description: A carefully crafted URL could execute javascript on another user's session, but this is limited to the attacker's own browser. The issue does not allow saving information on the server or the JSPWiki database, nor can it execute javascript on someone else's browser. Recommendations: For Apache JSPWiki versions 2.9.0 through 2.11.0.M2, consider disabling javascript execution until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.