CVE-2016-5394

Опубликовано: 19 июл. 2017

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.

Ссылки

http://www.securityfocus.com/bid/99870
Third Party Advisory
VDB Entry
https://lists.apache.org/thread.html/332166037a54b97cf41e2b616aaed38439de94b19b204841478e4525%40%3Cdev.sling.apache.org%3E
http://www.securityfocus.com/bid/99870
Third Party Advisory
VDB Entry
https://lists.apache.org/thread.html/332166037a54b97cf41e2b616aaed38439de94b19b204841478e4525%40%3Cdev.sling.apache.org%3E

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:sling:*:*:*:*:*:*:*:*

Версия до 1.0.12 (исключая)

EPSS

Процентиль: 77%

0.01094

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-xwf4-88xr-hx2j