sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Klco <dk...@apache.org>
Subject CVE-2020-1949: Apache Sling CMS Reflected XSS Vulnerability
Date Wed, 25 Mar 2020 03:21:37 GMT
Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
Sling CMS 0.14.0 and previous releases

Description:
Scripts in Sling CMS do not property escape the Sling Selector from URLs
when generating navigational elements for the administrative consoles and
are vulnerable to reflected XSS attacks.

Mitigation:
All users should upgrade to 0.16.0

Credit:
This issue was discovered by Guillaume GRABÉ Pentester from Orange
Cyberdefense France

References:
https://sling.apache.org/project-information/security.html

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message