CVE-2022-46769

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

5.4MEDIUM

EPSS

0.4%

top 41.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Sling APP CMS Apache Sling CMS

Timeline

PublishedJan 9

Description

An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature. Upgrade to Apache Sling App CMS >= 1.1.4

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶NVDapache/sling_cms< 1.1.4

▶Mavenorg.apache.sling:org.apache.sling.cms< 1.1.4

▶CVEListV5apache_software_foundation/apache_sling_app_cms< 1.1.4

🔴Vulnerability Details

OSV

Apache Sling App CMS vulnerable to reflected Cross-site Scripting↗2023-01-09

▶

GHSA

Apache Sling App CMS vulnerable to reflected Cross-site Scripting↗2023-01-09

▶

CVEList

Apache Sling App CMS: XSS in CMS Site Group Detail↗2023-01-09

▶