CVE-2017-9802
MEDIUM6.1EPSS 0.58%Improper Neutralization of Input During Web Page Generation Apache Sling Servlets Post
發布日:2022/5/14修改日:2023/11/8
描述
The Javascript method Sling.evalString() in Apache Sling Servlets Post before 2.3.22 uses the javascript 'eval' function to parse input strings, which allows for XSS attacks by passing specially crafted input strings.
受影響套件(1)
- Maven/org.apache.sling:org.apache.sling.servlets.postfrom 0, < 2.3.22
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-9802
- WEBhttp://packetstormsecurity.com/files/143758/Apache-Sling-Servlets-Post-2.3.20-Cross-Site-Scripting.html
- WEBhttps://issues.apache.org/jira/browse/SLING-7041
- WEBhttps://lists.apache.org/thread.html/2f4b8333e44c6e7e0b00933bd4204ce64829952f60dbb6814f2cdf91@%3Cdev.sling.apache.org%3E
- WEBhttp://www.securityfocus.com/archive/1/541024/100/0/threaded
- WEBhttp://www.securityfocus.com/bid/100284