CVE-2017-9802

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

6.1MEDIUM

EPSS

0.6%

top 31.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Sling Servlets Post

Timeline

PublishedAug 14

Latest updateMay 14

Description

The Javascript method Sling.evalString() in Apache Sling Servlets Post before 2.3.22 uses the javascript 'eval' function to parse input strings, which allows for XSS attacks by passing specially crafted input strings.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶Mavenorg.apache.sling:org.apache.sling.servlets.post< 2.3.22

▶NVDapache/sling_servlets_post2.3.20

🔴Vulnerability Details

OSV

Improper Neutralization of Input During Web Page Generation Apache Sling Servlets Post↗2022-05-14

▶

GHSA

Improper Neutralization of Input During Web Page Generation Apache Sling Servlets Post↗2022-05-14

▶

CVEList

CVE-2017-9802: The Javascript method Sling↗2017-08-14

▶