CVE-2023-22849 — Cross-site Scripting in Software Foundation Apache Sling APP CMS

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.4%

top 37.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Sling APP CMS Apache Sling CMS

Timeline

PublishedFeb 4

Description

An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features. Upgrade to Apache Sling App CMS >= 1.1.6

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDapache/sling_cms< 1.1.6

▶CVEListV5apache_software_foundation/apache_sling_app_cms< 1.1.6

🔴Vulnerability Details

GHSA

Sling App CMS Cross-site Scripting vulnerability↗2023-02-04

▶

CVEList

Apache Sling App CMS: XSS in CMS Reference / UI Components↗2023-02-04

▶

OSV

Sling App CMS Cross-site Scripting vulnerability↗2023-02-04

▶