Neil Griffin

**Name of the Vulnerable Software and Affected Versions** Apache Pluto Applicant MVCBean CDI portlet versions prior to 3.1.1 **Description** The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. **Recommendations** For versions prior to 3.1.1, migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact.

**Name of the Vulnerable Software and Affected Versions** Apache Pluto version 3.1.0 **Description** The issue concerns Cross-Site Scripting (XSS) attacks, which occur when an attacker injects malicious code into a website, allowing them to steal user data or take control of the user's session. In this case, the `first name` and `last name` fields of the Apache Pluto MVCBean JSP portlet maven archetype are vulnerable to such attacks. **Recommendations** For Apache Pluto version 3.1.0, consider validating and sanitizing user input for the `first name` and `last name` fields to prevent XSS attacks. As a temporary workaround, restrict user input to only allow expected characters and formats for these fields until a patch is available.

[Content removed]