Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04YzgyLTlyZ3AtNHF2cs4AAV9O

Improper Neutralization of Input During Web Page Generation Apache Sling Servlets Post

The Javascript method Sling.evalString() in Apache Sling Servlets Post before 2.3.22 uses the javascript 'eval' function to parse input strings, which allows for XSS attacks by passing specially crafted input strings.

Permalink: https://github.com/advisories/GHSA-8c82-9rgp-4qvr
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04YzgyLTlyZ3AtNHF2cs4AAV9O
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago


CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Percentage: 0.00238
EPSS Percentile: 0.62529

Identifiers: GHSA-8c82-9rgp-4qvr, CVE-2017-9802
References: Blast Radius: 17.3

Affected Packages

maven:org.apache.sling:org.apache.sling.servlets.post
Dependent packages: 84
Dependent repositories: 676
Downloads:
Affected Version Ranges: < 2.3.22
Fixed in: 2.3.22
All affected versions: 2.1.0, 2.1.2, 2.2.0, 2.3.0, 2.3.2, 2.3.4, 2.3.6, 2.3.8, 2.3.10, 2.3.12, 2.3.14, 2.3.16, 2.3.18, 2.3.20
All unaffected versions: 2.3.22, 2.3.24, 2.3.26, 2.3.28, 2.3.30, 2.3.32, 2.3.34, 2.3.36, 2.4.2, 2.4.4, 2.4.6, 2.5.0, 2.6.0