Description
In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.
Remediation
References
http://www.securityfocus.com/bid/99870
https://lists.apache.org/thread.html/332166037a54b97cf41e2b616aaed38439de94b19b204841478e4525%40%3Cdev.sling.apache.org%3E
Related Vulnerabilities
CVE-2022-41248 Vulnerability in maven package org.jenkins-ci.plugins:bigpanda-jenkins
CVE-2023-33510 Vulnerability in maven package org.jeecgframework.p3:jeecg-p3-biz-chat
CVE-2021-21252 Vulnerability in maven package org.webjars.bower:jquery-validation
CVE-2023-40342 Vulnerability in maven package org.jenkins-ci.plugins:flaky-test-handler
CVE-2022-45598 Vulnerability in npm package @joplin/renderer