Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: google group | github issues

Project: eXo PLF:: Platform Public Distributions - Sources


Scan Information (show all):

Display: Showing Vulnerable Dependencies (click to show all)

Dependency CPE Coordinates Highest Severity CVE Count CPE Confidence Evidence Count standard.jar cpe:/a:apache:standard_taglibs:1.1.2 taglibs:standard:1.1.2  High 1 Low 23 jstl.jar jstl:jstl:1.1.2    0 24

Dependencies standard.jar

File Path: /home/ciagent/.m2/repository/org/exoplatform/jcr/jcr-parent/5.2.x-SNAPSHOT/
MD5: 65351d0487ad57edda9171bb3b46b98c
SHA1: a17e8a4d9a1f7fcc5eed606721c9ed6b7f18acf7
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Sources:compile


  • maven: taglibs:standard:1.1.2    Confidence:Highest
  • cpe: cpe:/a:apache:standard_taglibs:1.1.2   Confidence:Low   


Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.

Vulnerable Software & Versions: jstl.jar

File Path: /home/ciagent/.m2/repository/org/exoplatform/jcr/jcr-parent/5.2.x-SNAPSHOT/
MD5: c2ced5f8505fe9d1cae685201e9cba07
SHA1: 3375e43c620df4f1114959400ff9bb90d12a2feb
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Sources:compile


This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the Node Security Platform.