CVE-2017-15717

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

6.1MEDIUM

EPSS

1.0%

top 22.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Sling XSS Protection API Apache Software Foundation Apache Sling Apache Sling XSS Protection API Compat

Timeline

PublishedJan 10

Latest updateMay 14

Description

A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶NVDapache/sling_xss_protection_api_compat1.1.0

▶NVDapache/sling_xss_protection_api1.0.18+1

▶Mavenorg.apache.sling:org.apache.sling.xss1.0.4 — 2.0.4

▶CVEListV5apache_software_foundation/apache_slingXSS Protection API 1.0.4 to 1.0.18, XSS Protection API 2.0.0, XSS Protection API Compat 1.1.0+2

🔴Vulnerability Details

GHSA

Cross-site Scripting in Apache Sling XSS Protection API↗2022-05-14

▶

OSV

Cross-site Scripting in Apache Sling XSS Protection API↗2022-05-14

▶

CVEList

CVE-2017-15717: A flaw in the way URLs are escaped and encoded in the org↗2018-01-10

▶