CVE-2019-0186

MEDIUM

Apache Pluto Chat Room Demo 3.0.0-3.0.1 - Cross-Site Scripting

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-0186. PoCs published by Dhiraj Mishra.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in Apache Pluto's 'Chat Room' portlet demo. The vulnerability allows attackers to inject raw HTML markup into the 'Name' or 'Message' input fields, which is then embedded in the subsequent web page.

Description

The input fields of the Apache Pluto "Chat Room" demo portlet 3.0.0 and 3.0.1 are vulnerable to Cross-Site Scripting (XSS) attacks. Mitigation: * Uninstall the ChatRoomDemo war file - or - * migrate to version 3.1.0 of the chat-room-demo war file

Exploits (1)

exploitdb WRITEUP

by Dhiraj Mishra · textwebappsjava

https://www.exploit-db.com/exploits/46759

View Code ZIP pw:eip

This is a writeup describing a stored XSS vulnerability in Apache Pluto's 'Chat Room' portlet demo. The vulnerability allows attackers to inject raw HTML markup into the 'Name' or 'Message' input fields, which is then embedded in the subsequent web page.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Apache Pluto 3.0.0, 3.0.1

No auth needed

Prerequisites: Access to the 'Chat Room' portlet demo page

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7

Core References

Mitigation, Vendor Advisory x_refsource_misc

https://portals.apache.org/pluto/security.html

Various Sources mailing-list x_refsource_mlist

http://mail-archives.apache.org/mod_mbox/portals-pluto-user/201904.mbox/%3CCAAqbB_ev=0KNgZmmNAq2=q11i1GYLGN6J-xCKx8Q8dbxZ4tZYg%40mail.gmail.com%3E

Mailing List, Mitigation, Third Party Advisory mailing-list x_refsource_mlist

https://www.openwall.com/lists/oss-security/2019/04/25/8

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/d093e6b0e5f9b3b50928255451afefd8f8fbdcd5bf28a726769a919a%40%3Cpluto-user.portals.apache.org%3E

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/46759/

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/152642/Apache-Pluto-3.0.0-3.0.1-Cross-Site-Scripting.html

Third Party Advisory vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/108091

Scores

CVSS v3 6.1

EPSS 0.0575

EPSS Percentile 90.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (3)

apache/pluto 3.0.0

apache/pluto 3.0.1

org.apache.portals.pluto/chatRoomDemo 3.0.0 - 3.1.0Maven

Published Apr 26, 2019

Tracked Since Feb 18, 2026