when you try to import an inexisting page with js fragments in url parameters like http://.../page.jsp?paramName="<script>alert('BT_XSS')</script>">¶m2=2... the following content is inserted into response: "The requested resource ({URL ABOVE}) is not available." the content is not encoded so js code from url is being executed i think DefaultServlet should do smth like response.getWriter().write(sm.getString("defaultServlet.missingResource", urlEncoder.encode(requestUri))); but html- or xml- encoding might be better
I wouldn't class this as a vulnerability as it requires both a bug (missing page) in the app and the app to pass on request parameters to the included page without validating them. Regardless, I have added HTML filtering so the output isn't corrupted.
This has been fixed in 6.0.x and will be included in 6.0.25 onwards.
Fixed in 5.5 in r918592, will be in 5.5.29 onwards.