BugTraq
CVE-2017-9802: Apache Sling XSS vulnerability Aug 14 2017 11:04AM
Robert Munteanu (rombert apache org)
CVE-2017-9802: Apache Sling XSS vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Sling Servlets Post 2.3.20

Description:
The Javascript method Sling.evalString() uses the javascript `eval`
function to parse input strings, which allows for XSS attacks by
passing specially crafted input strings.

Mitigation:
Users should upgrade to version 2.3.22 or later of the Sling Servlets
Post bundle.

Credit: This issue was discovered and reported by Dmitriev V.
Daniil Dmitriev V. Daniil <sgoesw (at) gmail (dot) com [email concealed]>.

References:

- https://issues.apache.org/jira/browse/SLING-7041
- https://sling.apache.org/project-information/security.html

Robert Munteanu
-----BEGIN PGP SIGNATURE-----

iQEzBAABCAAdFiEECmZcRnC0eL8SI1zNM5UIZU9j7FQFAlmRg8MACgkQM5UIZU9j
7FTSBwf9HEC6W7tNcaZKitL0r3M1vA412xuaGB8V6rRpuz9JZQyav4dOu3/ty+jL
uxm7e3w4BDtiXZj3m+3/0wO8Wyps+6PkC1YhiRXi0TQjjtEdc9KSe2B2xb+KU8c/
zWtNAsrGPelJoo5Cw1opmPXp6QbF8LILeskmPPshls22TgYLii4nHvMAD8lqvyfa
3xxk6u7tvJxw0NudQRoyw8GAQMjHr7tk0nUSOb1OsE/D86AXdfoq4fOQagvwkjaT
NrBf0n1rN3EAxuoNjYFNaHK9ltbyHafW9Z2ZNAAuXVK+Mlq55qsOIBjfJpKM/g/y
GgM1Cb1kkqm2SQeOrpWRUMCjlNaPwA==
=uqOb
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus