Description

Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.

Remediation

References

http://jvn.jp/en/jp/JVN61328139/index.html

http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069

http://www.securityfocus.com/bid/74839

https://issues.apache.org/jira/browse/SLING-2082

https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31%40%3Cdev.sling.apache.org%3E

https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70%40%3Cdev.sling.apache.org%3E

https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea%40%3Cdev.sling.apache.org%3E

https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16%40%3Cdev.sling.apache.org%3E

Related Vulnerabilities

CVE-2017-15691 Vulnerability in maven package org.apache.uima:uimaj-adapter-vinci

CVE-2020-5403 Vulnerability in maven package io.projectreactor.netty:reactor-netty

CVE-2017-2602 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2014-0119 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2022-43408 Vulnerability in maven package org.jenkins-ci.plugins.pipeline-stage-view:pipeline-stage-view

Severity

Critical

Classification

CWE-79

Tags

Vendor Advisory Exploit