update: this is done. there was only one particularly dangerous file, the rest had moderate vulnerabilities. it is all better now.
wont disclose the security hole, but the ConnectoR class needs to be used instead of a direct call.
there seems to be about 9 jsp pages that can use some tightening.