GHSA-8c82-9rgp-4qvr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8c82-9rgp-4qvr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8c82-9rgp-4qvr/GHSA-8c82-9rgp-4qvr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8c82-9rgp-4qvr
- Aliases
-
- CVE-2017-9802
- Published
- 2022-05-14T02:45:32Z
- Modified
- 2023-11-08T03:59:29.744402Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Improper Neutralization of Input During Web Page Generation Apache Sling Servlets Post
- Details
-
The Javascript method Sling.evalString() in Apache Sling Servlets Post before 2.3.22 uses the javascript 'eval' function to parse input strings, which allows for XSS attacks by passing specially crafted input strings.
- Database specific
{ "nvd_published_at": "2017-08-14T13:29:00Z", "github_reviewed_at": "2022-06-30T19:49:41Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-79" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-9802
- https://issues.apache.org/jira/browse/SLING-7041
- https://lists.apache.org/thread.html/2f4b8333e44c6e7e0b00933bd4204ce64829952f60dbb6814f2cdf91@%3Cdev.sling.apache.org%3E
- http://packetstormsecurity.com/files/143758/Apache-Sling-Servlets-Post-2.3.20-Cross-Site-Scripting.html
- http://www.securityfocus.com/archive/1/541024/100/0/threaded
- http://www.securityfocus.com/bid/100284
Affected packages
Maven / org.apache.sling:org.apache.sling.servlets.post
Package
- Name
- org.apache.sling:org.apache.sling.servlets.post
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.sling/org.apache.sling.servlets.post