U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website

Summary: One of the DoD applications uses a java library which is vulnerable to expression language injection. Using only an URL I was able to inject java code. I made a simple PoC that requests a name resolution to a DNS server. Description: The application at https://███ uses Primefaces version...