Description
Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.
Remediation
References
http://jvn.jp/en/jp/JVN61328139/index.html
http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069
http://www.securityfocus.com/bid/74839
https://issues.apache.org/jira/browse/SLING-2082
https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31%40%3Cdev.sling.apache.org%3E
https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70%40%3Cdev.sling.apache.org%3E
https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea%40%3Cdev.sling.apache.org%3E
https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16%40%3Cdev.sling.apache.org%3E
Related Vulnerabilities
CVE-2020-6950 Vulnerability in maven package org.glassfish:jakarta.faces
CVE-2016-2163 Vulnerability in maven package org.apache.openmeetings:openmeetings-web
CVE-2020-8913 Vulnerability in maven package com.google.android.play:core
CVE-2017-7662 Vulnerability in maven package org.apache.cxf.fediz:fediz-cxf
CVE-2015-0250 Vulnerability in maven package batik:batik-transcoder