Description
This script is possibly vulnerable to Expression Language Injection attacks.
To provide easy ways of outputting data from an object model that more closely resembles pure scripting languages, Expression Language (EL) was developed as part of JSTL (Java Server Pages Standard Tag Library).
JSP EL is a specification (JSR-245 and JSR 252 [2]) and there are many implementations:
Expression Language Injection occurs when user input is evaluated by a J2EE servers Expression Language resolvers, and a common opportunity for this vulnerability to occur today is with the usage of Spring JSP tags.
Remediation
Perform data validation best practice against untrusted input and to ensure that output encoding is applied when data arrives on the EL layer, so that no metacharacter is found by the interpreter within the user content before evaluation. The most obvious patterns to detect include ${ and #{, but it may be possible to encode or fragment this data.
References
Related Vulnerabilities
Unauthenticated OGNL injection in Confluence Server and Data Center (CVE-2023-22527)
PrimeFaces 5.x Expression Language injection
Unauthenticated OGNL injection in Confluence Server and Data Center
Arbitrary EL Evaluation in RichFaces
Unauthenticated remote code execution vulnerability in Confluence Server and Data Center