A security researcher presenting themselves as "Ϡ" has reported to security@ a reflected XSS upon archiva.wikimedia.org.
Steps to reproduce:
The payload - ;"><svg/onload=alert(document.domain)> - (and similar) appears to work under any random directory with what appears to be Jetty's default directory listing capabilities enabled. I'm wondering if that could simply be disabled?