Description
Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.
Remediation
References
http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069
https://issues.apache.org/jira/browse/SLING-2082
http://jvn.jp/en/jp/JVN61328139/index.html
http://www.securityfocus.com/bid/74839
https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16%40%3Cdev.sling.apache.org%3E
https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea%40%3Cdev.sling.apache.org%3E
https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70%40%3Cdev.sling.apache.org%3E
https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31%40%3Cdev.sling.apache.org%3E
Related Vulnerabilities
CVE-2018-8038 Vulnerability in maven package org.apache.cxf.fediz:fediz-core
CVE-2018-1000605 Vulnerability in maven package org.jenkins-ci.plugins:collabnet
CVE-2016-3737 Vulnerability in maven package org.rhq:rhq-enterprise-comm
CVE-2018-1000169 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2017-8028 Vulnerability in maven package org.springframework.ldap:spring-ldap-core