CVE-2017-9802

Опубликовано: 14 авг. 2017

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

The Javascript method Sling.evalString() in Apache Sling Servlets Post before 2.3.22 uses the javascript 'eval' function to parse input strings, which allows for XSS attacks by passing specially crafted input strings.

Ссылки

http://packetstormsecurity.com/files/143758/Apache-Sling-Servlets-Post-2.3.20-Cross-Site-Scripting.html
http://www.securityfocus.com/archive/1/541024/100/0/threaded
http://www.securityfocus.com/bid/100284
Third Party Advisory
VDB Entry
https://issues.apache.org/jira/browse/SLING-7041
Issue Tracking
Vendor Advisory
https://lists.apache.org/thread.html/2f4b8333e44c6e7e0b00933bd4204ce64829952f60dbb6814f2cdf91%40%3Cdev.sling.apache.org%3E
http://packetstormsecurity.com/files/143758/Apache-Sling-Servlets-Post-2.3.20-Cross-Site-Scripting.html
http://www.securityfocus.com/archive/1/541024/100/0/threaded
http://www.securityfocus.com/bid/100284
Third Party Advisory
VDB Entry
https://issues.apache.org/jira/browse/SLING-7041
Issue Tracking
Vendor Advisory
https://lists.apache.org/thread.html/2f4b8333e44c6e7e0b00933bd4204ce64829952f60dbb6814f2cdf91%40%3Cdev.sling.apache.org%3E

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:sling_servlets_post:*:*:*:*:*:*:*:*

Версия до 2.3.20 (включая)

EPSS

Процентиль: 68%

0.00584

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-8c82-9rgp-4qvr