Date: Tue, 18 Jul 2017 12:23:32 +0200 From: Bertrand Delacretaz <bdelacretaz@...che.org> To: dev <dev@...ng.apache.org>, users <users@...ng.apache.org>, "security@...ng.apache.org" <security@...ng.apache.org>, oss-security@...ts.openwall.com, bugtraq@...urityfocus.com Subject: CVE-2016-5394 : Apache Sling XSS vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Sling XSS Protection API 1.0.8 Description: The encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities. Mitigation: Users should upgrade to version 1.0.12 or later of the XSS Protection API module.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ