Date: Wed, 10 Jan 2018 07:18:57 +0000 From: Radu Cotescu <radu@...che.org> To: Sling Dev <dev@...ng.apache.org>, security@...ng.apache.org, users@...ng.apache.org, oss-security@...ts.openwall.com, lkrapf@...be.com Subject: CVE-2017-15717: Insufficient XSS protection for HREF attributes in Apache Sling XSS Protection API Severity: High Vendor: The Apache Software Foundation Versions Affected: Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0, Apache Sling XSS Protection API 2.0.0 Description: A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. Mitigation: Users should upgrade to version 2.0.4 or later of the Apache Sling XSS Protection API module.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.