oss-sec mailing list archives
CVE-2016-5394 : Apache Sling XSS vulnerability
From: Bertrand Delacretaz <bdelacretaz () apache org>
Date: Tue, 18 Jul 2017 12:23:32 +0200
Severity: Important Vendor: The Apache Software Foundation Versions Affected: Sling XSS Protection API 1.0.8 Description: The encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities. Mitigation: Users should upgrade to version 1.0.12 or later of the XSS Protection API module.
Current thread:
- CVE-2016-5394 : Apache Sling XSS vulnerability Bertrand Delacretaz (Jul 18)