Lucene search
GoogleOSV:GHSA-XWF4-88XR-HX2JHistoryMay 13, 2022 - 1:25 a.m.
Cross site scripting in Apache Sling
2022-05-1301:25:29
Google
osv.dev
5
0.001 Low
EPSS
Percentile
30.5%
In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.
References
www.securityfocus.com/bid/99870
github.com/apache/sling-org-apache-sling-xss/commit/de32b144ad2be3367559f6184d560db42a220529
github.com/jensdietrich/xshady-release/tree/main/CVE-2016-5394
lists.apache.org/thread.html/332166037a54b97cf41e2b616aaed38439de94b19b204841478e4525@%3Cdev.sling.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2016-5394
Related
cve
cve
CVE-2016-5394
2017-07-19 15:29:00
osv
osv
CVE-2016-5394
2017-07-19 15:29:00
nvd
nvd
CVE-2016-5394
2017-07-19 15:29:00
github
github
Cross site scripting in Apache Sling
2022-05-13 01:25:29
veracode
veracode
Cross-site Scripting (XSS)
2017-07-18 20:04:09
prion
prion
Cross site scripting
2017-07-19 15:29:00
cvelist
cvelist
CVE-2016-5394
2017-07-18 00:00:00