Date: Wed, 10 Jan 2018 07:18:57 +0000 From: Radu Cotescu <radu@...che.org> To: Sling Dev <dev@...ng.apache.org>, security@...ng.apache.org, users@...ng.apache.org, oss-security@...ts.openwall.com, lkrapf@...be.com Subject: CVE-2017-15717: Insufficient XSS protection for HREF attributes in Apache Sling XSS Protection API Severity: High Vendor: The Apache Software Foundation Versions Affected: Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0, Apache Sling XSS Protection API 2.0.0 Description: A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. Mitigation: Users should upgrade to version 2.0.4 or later of the Apache Sling XSS Protection API module.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ