GHSA-xwf4-88xr-hx2j

Suggest an improvement
Source
https://github.com/advisories/GHSA-xwf4-88xr-hx2j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xwf4-88xr-hx2j/GHSA-xwf4-88xr-hx2j.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-xwf4-88xr-hx2j
Aliases
Published
2022-05-13T01:25:29Z
Modified
2023-11-01T04:47:02.378852Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Cross site scripting in Apache Sling
Details

In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.

Database specific
{
    "nvd_published_at": "2017-07-19T15:29:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-03T19:12:07Z"
}
References

Affected packages

Maven / org.apache.sling:org.apache.sling.xss

Package

Name
org.apache.sling:org.apache.sling.xss
View open source insights on deps.dev
Purl
pkg:maven/org.apache.sling/org.apache.sling.xss

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.12

Affected versions

1.*

1.0.0
1.0.2
1.0.4
1.0.6
1.0.8

Maven / org.apache.sling:org.apache.sling.xss.compat

Package

Name
org.apache.sling:org.apache.sling.xss.compat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.sling/org.apache.sling.xss.compat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.0

Affected versions

1.*

1.0.0