An undisclosed Cross-Site Scripting (XSS) vulnerability in Apache Velocity Tools can be exploited by unauthenticated attackers to target government sites, including NASA and NOAA. Although 90 days have elapsed since the vulnerability was reported and patched, BleepingComputer is not aware of a formal disclosure made by the project. Apache Velocity is a Java-based template engine used by developers for designing views in a Model-View-Controller (MVC) architecture. The vulnerability is being internally tracked as CVE-2020-13959.
Source: https://www.bleepingcomputer.com/news/security/undisclosed-apache-velocity-xss-vulnerability-impacts-gov-sites/