CVE-2016-5394
published 2017-07-19CVE-2016-5394: In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for…
medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | sling | < 1.0.12 | 1.0.12 |
| apache_software_foundation | apache_sling | — | — |