Vulnerability Details CVE-2016-5394
In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.011
EPSS Ranking 76.8%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
- http://www.securityfocus.com/bid/99870
- https://lists.apache.org/thread.html/332166037a54b97cf41e2b616aaed38439de94b19b204841478e4525%40%3Cdev.sling.apache.org%3E
- http://www.securityfocus.com/bid/99870
- https://lists.apache.org/thread.html/332166037a54b97cf41e2b616aaed38439de94b19b204841478e4525%40%3Cdev.sling.apache.org%3E
Products affected by CVE-2016-5394
-
cpe:2.3:a:apache:sling:-
-
cpe:2.3:a:apache:sling:1.0.0
-
cpe:2.3:a:apache:sling:1.0.10
-
cpe:2.3:a:apache:sling:1.0.2
-
cpe:2.3:a:apache:sling:1.0.4
-
cpe:2.3:a:apache:sling:1.0.6
-
cpe:2.3:a:apache:sling:1.0.8