In java world, it has plenty of areas are allow hacker to do some tricks. VMware announced that found so called DOM Based Cross-site Scripting Vulnerability and Missing renewal of session tokens vulnerability. In regards to my comment, both vulnerabilities similar modern java applications security weakness, we are able to apply filter to do that. For example a regular expression solution. In short, please refer official announcement for reference.
vRealize Automation updates address multiple security issues