oss-sec mailing list archives
CVE-2020-1949: Apache Sling CMS Reflected XSS Vulnerability
From: Daniel Klco <dklco () apache org>
Date: Tue, 24 Mar 2020 23:21:38 -0400
Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Sling CMS 0.14.0 and previous releases Description: Scripts in Sling CMS do not property escape the Sling Selector from URLs when generating navigational elements for the administrative consoles and are vulnerable to reflected XSS attacks. Mitigation: All users should upgrade to 0.16.0 Credit: This issue was discovered by Guillaume GRABÉ Pentester from Orange Cyberdefense France References: https://sling.apache.org/project-information/security.html
Current thread:
- CVE-2020-1949: Apache Sling CMS Reflected XSS Vulnerability Daniel Klco (Mar 25)