Lucene search

GoogleOSV:GHSA-JJ93-4JR5-X45H

HistoryNov 02, 2022 - 7:00 p.m.

Apache Sling App CMS vulnerable to Cross-site Scripting

2022-11-0219:00:31

Google

osv.dev

cross-site scripting

sling app cms

version 1.1.0

authenticated

remote attacker

reflected xss

taxonomy management

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

30.3%

JSON

A Cross-site Scripting vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management feature.

CPENameOperatorVersion
org.apache.sling:org.apache.sling.cmseq1.1.0
org.apache.sling:org.apache.sling.cmseq0.11.2
org.apache.sling:org.apache.sling.cmseq1.0.2
org.apache.sling:org.apache.sling.cmseq0.11.0
org.apache.sling:org.apache.sling.cmseq0.16.0
org.apache.sling:org.apache.sling.cmseq0.9.0
org.apache.sling:org.apache.sling.cmseq0.14.0
org.apache.sling:org.apache.sling.cmseq0.16.2
org.apache.sling:org.apache.sling.cmseq0.12.0
org.apache.sling:org.apache.sling.cmseq1.0.4

Name	Operator	Version
org.apache.sling:org.apache.sling.cms	eq	1.1.0
org.apache.sling:org.apache.sling.cms	eq	0.11.2
org.apache.sling:org.apache.sling.cms	eq	1.0.2
org.apache.sling:org.apache.sling.cms	eq	0.11.0
org.apache.sling:org.apache.sling.cms	eq	0.16.0
org.apache.sling:org.apache.sling.cms	eq	0.9.0
org.apache.sling:org.apache.sling.cms	eq	0.14.0
org.apache.sling:org.apache.sling.cms	eq	0.16.2
org.apache.sling:org.apache.sling.cms	eq	0.12.0
org.apache.sling:org.apache.sling.cms	eq	1.0.4

Rows per page:

1-10 of 111

References

www.openwall.com/lists/oss-security/2022/11/02/8

github.com/apache/sling-org-apache-sling-app-cms

lists.apache.org/thread/o68l3l3crfxz107fr9dm74y8vg8kj2cs

nvd.nist.gov/vuln/detail/CVE-2022-43670