CVE-2016-0956

CVE-2016-0956 affects the Apache Sling Servlets Post component (version 2.3.6) used by Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0. The issue is an information-disclosure vulnerability in Sling Post 2.3.6 allowing remote attackers to obtain sensitive information via unspecified vectors. APSB...

CVE-2016-6798

In Apache Sling, the XSS Protection API module is affected: versions before 1.0.12 use an insecure SAX parser in XSS.getValidXML(), enabling XML External Entity (XXE) attacks. This can allow attackers to read filesystem data, enable SSRF, perform port scanning behind a firewall, or cause DoS. Pub...

CVE-2016-5394

CVE-2016-5394 concerns the Apache Sling XSS Protection API. The XSSProtection API module, before version 1.0.12, uses the encoding from XSSAPI.encodeForJSString() that is not sufficiently restrictive, allowing certain input patterns to pass unencoded and potentially enable cross-site scripting. T...

CVE-2013-4390

The CVE-2013-4390 vulnerability affects the Apache Sling Auth Core bundle (org.apache.sling.auth.core) in the AbstractAuthenticationFormServlet, with versions prior to 1.1.4. An open redirect exists that lets remote attackers redirect users to arbitrary sites via a resource parameter, enabling ph...