Description

Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.

Remediation

References

http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069

https://issues.apache.org/jira/browse/SLING-2082

http://jvn.jp/en/jp/JVN61328139/index.html

http://www.securityfocus.com/bid/74839

https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16%40%3Cdev.sling.apache.org%3E

https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea%40%3Cdev.sling.apache.org%3E

https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70%40%3Cdev.sling.apache.org%3E

https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31%40%3Cdev.sling.apache.org%3E

Related Vulnerabilities

CVE-2022-36910 Vulnerability in maven package org.jenkins-ci.plugins:lucene-search

CVE-2023-24998 Vulnerability in maven package org.apache.tomcat:tomcat-util

CVE-2018-1000197 Vulnerability in maven package com.blackducksoftware.integration:blackduck-hub

CVE-2022-42123 Vulnerability in maven package com.liferay:com.liferay.portal.search.elasticsearch7.impl

CVE-2015-5174 Vulnerability in maven package org.apache.tomcat:catalina

Severity

Critical

Classification

CWE-79

Tags

Vendor Advisory Exploit