oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2020-1949: Apache Sling CMS Reflected XSS Vulnerability

From: Daniel Klco <dklco () apache org>
Date: Tue, 24 Mar 2020 23:21:38 -0400
Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
Sling CMS 0.14.0 and previous releases

Description:
Scripts in Sling CMS do not property escape the Sling Selector from URLs
when generating navigational elements for the administrative consoles and
are vulnerable to reflected XSS attacks.

Mitigation:
All users should upgrade to 0.16.0

Credit:
This issue was discovered by Guillaume GRABÉ Pentester from Orange
Cyberdefense France

References:
https://sling.apache.org/project-information/security.html
Previous By Date Next
Previous By Thread Next

Current thread: