CVE-2016-5394
MEDIUM6.1EPSS 1.3%Cross site scripting in Apache Sling
發布日:2022/5/13修改日:2024/2/16
描述
In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.
受影響套件(2)
- Maven/org.apache.sling:org.apache.sling.xssfrom 0, < 1.0.12
- Maven/org.apache.sling:org.apache.sling.xss.compatfrom 0, < 1.1.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-5394
- WEBhttps://github.com/apache/sling-org-apache-sling-xss/commit/de32b144ad2be3367559f6184d560db42a220529
- WEBhttps://github.com/jensdietrich/xshady-release/tree/main/CVE-2016-5394
- WEBhttps://lists.apache.org/thread.html/332166037a54b97cf41e2b616aaed38439de94b19b204841478e4525@%3Cdev.sling.apache.org%3E
- WEBhttp://www.securityfocus.com/bid/99870