[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2016-5394 : Apache Sling XSS vulnerability
From: Bertrand Delacretaz <bdelacretaz () apache ! org>
Date: 2017-07-18 10:23:32
Message-ID: CAEWfVJmX8X8qNOJyRRi=HVzhNAUC3eFvVP2jJTZEyYw=9S70GA () mail ! gmail ! com
[Download RAW message or body]
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Sling XSS Protection API 1.0.8
Description:
The encoding done by the XSSAPI.encodeForJSString() method is not
restrictive enough and for some input patterns allows script tags to
pass through unencoded, leading to potential XSS vulnerabilities.
Mitigation:
Users should upgrade to version 1.0.12 or later of the XSS Protection
API module.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic