Versions Affected:
Apache Sling Servlets Post 2.3.20
Description:
The Javascript method Sling.evalString() uses the javascript `eval`
function to parse input strings, which allows for XSS attacks by
passing specially crafted input strings.
Mitigation:
Users should upgrade to version 2.3.22 or later of the Sling Servlets
Post bundle.
Credit: This issue was discovered and reported by Dmitriev V.
Daniil Dmitriev V. Daniil <sgoesw (at) gmail (dot) com [email concealed]>.
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Sling Servlets Post 2.3.20
Description:
The Javascript method Sling.evalString() uses the javascript `eval`
function to parse input strings, which allows for XSS attacks by
passing specially crafted input strings.
Mitigation:
Users should upgrade to version 2.3.22 or later of the Sling Servlets
Post bundle.
Credit: This issue was discovered and reported by Dmitriev V.
Daniil Dmitriev V. Daniil <sgoesw (at) gmail (dot) com [email concealed]>.
References:
- https://issues.apache.org/jira/browse/SLING-7041
- https://sling.apache.org/project-information/security.html
Robert Munteanu
-----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEECmZcRnC0eL8SI1zNM5UIZU9j7FQFAlmRg8MACgkQM5UIZU9j
7FTSBwf9HEC6W7tNcaZKitL0r3M1vA412xuaGB8V6rRpuz9JZQyav4dOu3/ty+jL
uxm7e3w4BDtiXZj3m+3/0wO8Wyps+6PkC1YhiRXi0TQjjtEdc9KSe2B2xb+KU8c/
zWtNAsrGPelJoo5Cw1opmPXp6QbF8LILeskmPPshls22TgYLii4nHvMAD8lqvyfa
3xxk6u7tvJxw0NudQRoyw8GAQMjHr7tk0nUSOb1OsE/D86AXdfoq4fOQagvwkjaT
NrBf0n1rN3EAxuoNjYFNaHK9ltbyHafW9Z2ZNAAuXVK+Mlq55qsOIBjfJpKM/g/y
GgM1Cb1kkqm2SQeOrpWRUMCjlNaPwA==
=uqOb
-----END PGP SIGNATURE-----
[ reply ]