Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03bWZ3LTQzYzQtNDVtcc4AAXdf
Cross-site Scripting in Apache Sling XSS Protection API
A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0.
Permalink: https://github.com/advisories/GHSA-7mfw-43c4-45mqJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03bWZ3LTQzYzQtNDVtcc4AAXdf
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-7mfw-43c4-45mq, CVE-2017-15717
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-15717
- https://s.apache.org/CVE-2017-15717
- https://github.com/advisories/GHSA-7mfw-43c4-45mq
Affected Packages
maven:org.apache.sling:org.apache.sling.xss.compat
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: = 1.1.0
No known fixed version
All affected versions: 1.1.0
maven:org.apache.sling:org.apache.sling.xss
Dependent packages: 36Dependent repositories: 28
Downloads:
Affected Version Ranges: >= 1.0.4, < 2.0.4
Fixed in: 2.0.4
All affected versions: 1.0.4, 1.0.6, 1.0.8, 1.0.12, 1.0.14, 1.0.16, 1.0.18, 2.0.0
All unaffected versions: 1.0.0, 1.0.2, 2.0.4, 2.0.6, 2.0.8, 2.0.10, 2.0.12, 2.0.14, 2.1.0, 2.1.6, 2.1.8, 2.1.10, 2.1.16, 2.1.18, 2.2.0, 2.2.2, 2.2.6, 2.2.8, 2.2.10, 2.2.12, 2.2.14, 2.2.16, 2.2.18, 2.2.20, 2.3.0, 2.3.2, 2.3.4, 2.3.6, 2.3.8, 2.4.0