Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS14d2Y0LTg4eHItaHgyas4AAQZ1

Cross site scripting in Apache Sling

In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.

Permalink: https://github.com/advisories/GHSA-xwf4-88xr-hx2j
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14d2Y0LTg4eHItaHgyas4AAQZ1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 7 months ago

CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-xwf4-88xr-hx2j, CVE-2016-5394
References:

Repository: https://github.com/jensdietrich/xshady-release
Blast Radius: 8.8

Affected Packages

maven:org.apache.sling:org.apache.sling.xss.compat

Dependent packages: 0
Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.1.0
Fixed in: 1.1.0
All affected versions: 1.0.0
All unaffected versions: 1.1.0

maven:org.apache.sling:org.apache.sling.xss

Dependent packages: 36
Dependent repositories: 28
Downloads:
Affected Version Ranges: < 1.0.12
Fixed in: 1.0.12
All affected versions: 1.0.0, 1.0.2, 1.0.4, 1.0.6, 1.0.8
All unaffected versions: 1.0.12, 1.0.14, 1.0.16, 1.0.18, 2.0.0, 2.0.4, 2.0.6, 2.0.8, 2.0.10, 2.0.12, 2.0.14, 2.1.0, 2.1.6, 2.1.8, 2.1.10, 2.1.16, 2.1.18, 2.2.0, 2.2.2, 2.2.6, 2.2.8, 2.2.10, 2.2.12, 2.2.14, 2.2.16, 2.2.18, 2.2.20, 2.3.0, 2.3.2, 2.3.4, 2.3.6, 2.3.8, 2.4.0