CVE-2022-43670 — Cross-site Scripting in Software Foundation Apache Sling APP CMS

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.3%

top 42.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Sling APP CMS Apache Sling CMS

Timeline

PublishedNov 2

Description

An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management feature.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5apache_software_foundation/apache_sling_app_cmsunspecified — 1.1.2

▶NVDapache/sling_cms1.1.0

🔴Vulnerability Details

OSV

Apache Sling App CMS vulnerable to Cross-site Scripting↗2022-11-02

▶

GHSA

Apache Sling App CMS vulnerable to Cross-site Scripting↗2022-11-02

▶

CVEList

XSS in Sling CMS Reference App Taxonomy Path↗2022-11-02

▶