CVE-2016-5394

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

6.1MEDIUM

EPSS

1.1%

top 22.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Sling Apache Software Foundation Apache Sling

Timeline

PublishedJul 19

Latest updateMay 13

Description

In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶NVDapache/sling< 1.0.12

▶Mavenorg.apache.sling:org.apache.sling.xss< 1.0.12

▶Mavenorg.apache.sling:org.apache.sling.xss.compat< 1.1.0

▶CVEListV5apache_software_foundation/apache_slingprior to 1.0.12

🔴Vulnerability Details

GHSA

Cross site scripting in Apache Sling↗2022-05-13

▶

OSV

Cross site scripting in Apache Sling↗2022-05-13

▶

CVEList

CVE-2016-5394: In the XSS Protection API module before 1↗2017-07-19

▶