CVE-2017-9802 – org.apache.sling:org.apache.sling.servlets.post

Package

Manager: maven
Name: org.apache.sling:org.apache.sling.servlets.post
Vulnerable Version: >=0 <2.3.22

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00627 pctl0.69319

Details

Improper Neutralization of Input During Web Page Generation Apache Sling Servlets Post The Javascript method Sling.evalString() in Apache Sling Servlets Post before 2.3.22 uses the javascript 'eval' function to parse input strings, which allows for XSS attacks by passing specially crafted input strings.

Metadata

Created: 2022-05-14T02:45:32Z
Modified: 2022-06-30T19:49:41Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8c82-9rgp-4qvr/GHSA-8c82-9rgp-4qvr.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-8c82-9rgp-4qvr
Finding: F008
Auto approve: 1