Description
The Javascript method Sling.evalString() in Apache Sling Servlets Post before 2.3.22 uses the javascript 'eval' function to parse input strings, which allows for XSS attacks by passing specially crafted input strings.
Remediation
References
https://issues.apache.org/jira/browse/SLING-7041
http://www.securityfocus.com/bid/100284
http://packetstormsecurity.com/files/143758/Apache-Sling-Servlets-Post-2.3.20-Cross-Site-Scripting.html
http://www.securityfocus.com/archive/1/541024/100/0/threaded
https://lists.apache.org/thread.html/2f4b8333e44c6e7e0b00933bd4204ce64829952f60dbb6814f2cdf91%40%3Cdev.sling.apache.org%3E
Related Vulnerabilities
CVE-2019-10173 Vulnerability in maven package com.thoughtworks.xstream:xstream
CVE-2020-2249 Vulnerability in maven package org.jenkins-ci.plugins:tfs
CVE-2023-33945 Vulnerability in maven package com.liferay.portal:release.portal.bom
CVE-2023-33201 Vulnerability in maven package org.bouncycastle:bcprov-debug-jdk18on
CVE-2023-25569 Vulnerability in maven package com.ctrip.framework.apollo:apollo