Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 10 Jan 2018 07:18:57 +0000
From: Radu Cotescu <radu@...che.org>
To: Sling Dev <dev@...ng.apache.org>, security@...ng.apache.org, users@...ng.apache.org, 
	oss-security@...ts.openwall.com, lkrapf@...be.com
Subject: CVE-2017-15717: Insufficient XSS protection for HREF attributes in
 Apache Sling XSS Protection API

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Sling XSS Protection API 1.0.4 to 1.0.18,
Apache Sling XSS Protection API Compat 1.1.0,
Apache Sling XSS Protection API 2.0.0

Description:
A flaw in the way URLs are escaped and encoded in the
org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and
org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted
URLs to pass as valid,
although they carry XSS payloads.

Mitigation:
Users should upgrade to version 2.0.4 or later of the Apache Sling XSS
Protection
API module.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ