You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@sling.apache.org by Radu Cotescu <ra...@apache.org> on 2018/01/10 07:18:57 UTC

CVE-2017-15717: Insufficient XSS protection for HREF attributes in Apache Sling XSS Protection API

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Sling XSS Protection API 1.0.4 to 1.0.18,
Apache Sling XSS Protection API Compat 1.1.0,
Apache Sling XSS Protection API 2.0.0

Description:
A flaw in the way URLs are escaped and encoded in the
org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and
org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted
URLs to pass as valid,
although they carry XSS payloads.

Mitigation:
Users should upgrade to version 2.0.4 or later of the Apache Sling XSS
Protection
API module.