velocity-tools-view is vulnerable cross-site scripting (XSS). An attacker is able to inject and execute malicious script in a user’s browser as it does not escape a user-provided vm file as part of the URL which displayed in the error page.
www.openwall.com/lists/oss-security/2021/03/10/2
github.com/apache/velocity-tools/commit/e141828a4eb03e4b0224535eed12b5c463a24152
lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3%40%3Cuser.velocity.apache.org%3E
lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3@%3Cuser.velocity.apache.org%3E
lists.apache.org/thread.html/r97edad0655770342d2d36620fb1de50b142fcd6c4f5c53dd72ca41d7@%3Cuser.velocity.apache.org%3E
lists.apache.org/thread.html/rb042f3b0090e419cc9f5a3d32cf0baff283ccd6fcb1caea61915d6b6@%3Ccommits.velocity.apache.org%3E
lists.apache.org/thread.html/rf9868c564cff7adfd5283563f2309b93b3e496354a211a57503b2f72@%3Cannounce.apache.org%3E
lists.debian.org/debian-lts-announce/2021/03/msg00021.html
security.gentoo.org/glsa/202107-52
www.openwall.com/lists/oss-security/2021/03/10/2