CVE-2015-2944

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

4.3MEDIUM

EPSS

2.9%

top 13.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Sling API Apache Sling Servlets Post

Timeline

PublishedJun 2

Latest updateMay 13

Description

Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

▶Mavenorg.apache.sling:org.apache.sling.servlets.post< 2.1.2

▶NVDapache/sling_servlets_post2.1.0

▶Mavenorg.apache.sling:org.apache.sling.api< 2.2.2

▶NVDapache/sling_api2.2.0

🔴Vulnerability Details

OSV

Improper Neutralization of Input During Web Page Generation in Apache Sling↗2022-05-13

▶

GHSA

Improper Neutralization of Input During Web Page Generation in Apache Sling↗2022-05-13

▶

CVEList

CVE-2015-2944: Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2↗2015-06-02

▶