CVE-2020-9447: 
Java vulnerability analysis and mitigation

GWTUpload, a library for uploading files to web servers developed by Manuel Carrasco Moñino, contains a Cross-Site Scripting (XSS) vulnerability identified as CVE-2020-9447. The vulnerability was discovered in version 1.0.3 and potentially affects older versions of the software. The issue was first reported on November 12, 2019, and publicly disclosed on March 16, 2020 (CoreLabs Advisory).

The vulnerability exists in the file upload functionality of GWTUpload, where an attacker can upload a file with a malicious filename containing JavaScript code. The library fails to properly sanitize the filename during the upload process, leading to potential XSS execution. The vulnerability is classified under CWE-79 (Failure to Preserve Web Page Structure) (CoreLabs Advisory).

If exploited, this vulnerability allows attackers to execute malicious JavaScript code in the context of other users' browsers. This can lead to data theft, website appearance manipulation, and other malicious activities such as phishing or drive-by hacking (CoreLabs Advisory).

While no official version has been released to fix the issue, patches have been developed to sanitize the upload filename. These patches are available in community forks of the project (CoreLabs Advisory).