Description

Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.

Remediation

References

http://jvn.jp/en/jp/JVN61328139/index.html

http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069

http://www.securityfocus.com/bid/74839

https://issues.apache.org/jira/browse/SLING-2082

https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31%40%3Cdev.sling.apache.org%3E

https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70%40%3Cdev.sling.apache.org%3E

https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea%40%3Cdev.sling.apache.org%3E

https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16%40%3Cdev.sling.apache.org%3E

Related Vulnerabilities

CVE-2020-36732 Vulnerability in maven package org.webjars.bowergithub.brix:crypto-js

CVE-2023-29207 Vulnerability in maven package org.xwiki.platform:xwiki-platform-flamingo-skin-resources

CVE-2019-10401 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2014-0035 Vulnerability in maven package org.apache.cxf:cxf-bundle-minimal

CVE-2011-1077 Vulnerability in maven package org.apache.archiva:archiva

Severity

Critical

Classification

CWE-79

Tags

Vendor Advisory Exploit