Описание
Cross site scripting in Apache Sling
In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2016-5394
- https://github.com/apache/sling-org-apache-sling-xss/commit/de32b144ad2be3367559f6184d560db42a220529
- https://github.com/jensdietrich/xshady-release/tree/main/CVE-2016-5394
- https://lists.apache.org/thread.html/332166037a54b97cf41e2b616aaed38439de94b19b204841478e4525@%3Cdev.sling.apache.org%3E
- http://www.securityfocus.com/bid/99870
Пакеты
Наименование
org.apache.sling:org.apache.sling.xss
maven
Затронутые версииВерсия исправления
< 1.0.12
1.0.12
Наименование
org.apache.sling:org.apache.sling.xss.compat
maven
Затронутые версииВерсия исправления
< 1.1.0
1.1.0
Связанные уязвимости
CVSS3: 6.1
nvd
около 8 лет назад
In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.