WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2016-5394 Vulnerability in maven package org.apache.sling:org.apache.sling.xss

Description

In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.

Remediation

References

http://www.securityfocus.com/bid/99870

https://lists.apache.org/thread.html/332166037a54b97cf41e2b616aaed38439de94b19b204841478e4525%40%3Cdev.sling.apache.org%3E

Related Vulnerabilities

CVE-2021-21631 Vulnerability in maven package org.jenkins-ci.plugins:cloud-stats

CVE-2021-43862 Vulnerability in npm package jquery.terminal

CVE-2022-34113 Vulnerability in maven package io.dataease:dataease-plugin-common

CVE-2023-35165 Vulnerability in npm package aws-cdk-lib

CVE-2019-10744 Vulnerability in maven package org.webjars:lodash

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Third Party Advisory VDB Entry