CVE-2020-1949

CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
6.1MEDIUM
EPSS
1.8%
top 17.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Sling CMS
Timeline
PublishedApr 1
Latest updateMay 24

Description

Scripts in Sling CMS before 0.16.0 do not property escape the Sling Selector from URLs when generating navigational elements for the administrative consoles and are vulnerable to reflected XSS attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDapache/sling_cms< 0.16.0
CVEListV5apache_slingApache Sling CMS 0.14.0 and previous releases

🔴Vulnerability Details

2
GHSA
GHSA-2r68-qm7v-72rg: Scripts in Sling CMS before 02022-05-24
CVEList
CVE-2020-1949: Scripts in Sling CMS before 02020-04-01
CVE-2020-1949 (MEDIUM CVSS 6.1) | Scripts in Sling CMS before 0.16.0 | cvebase.io