Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 14 Aug 2017 14:03:47 +0300
From: Robert Munteanu <rombert@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-9802: Apache Sling XSS vulnerability

CVE-2017-9802: Apache Sling XSS vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Sling Servlets Post 2.3.20

Description:
The Javascript method Sling.evalString() uses the javascript `eval`
function to parse input strings, which allows for XSS attacks by
passing specially crafted input strings.

Mitigation:
Users should upgrade to version 2.3.22 or later of the Sling Servlets
Post bundle.

Credit: This issue was discovered and reported by Dmitriev V.
Daniil Dmitriev V. Daniil <sgoesw@...il.com>.

References:

- https://issues.apache.org/jira/browse/SLING-7041
- https://sling.apache.org/project-information/security.html

Robert Munteanu
[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ