CVE-2017-15717

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2017-15717
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-15717.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-15717
Aliases
Published
2018-01-10T14:29:00Z
Modified
2024-09-02T23:49:01Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0.

References

Affected packages

Git / github.com/apache/sling-org-apache-sling-xss

Affected ranges

Type
GIT
Repo
https://github.com/apache/sling-org-apache-sling-xss
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Last affected
Last affected