You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@sling.apache.org by Antonio Sanso <as...@adobe.com.INVALID> on 2017/12/18 15:45:25 UTC
CVE-2017-15700 - Apache Sling Authentication Service vulnerability
Severity: High
Vendor: The Apache Software Foundation
Versions Affected:
Apache Sling Authentication Service 1.4.0
Description:
A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method allows an attacker, through the Sling login form, to trick a victim to send over their credentials.
Mitigation:
Users should upgrade to version 1.4.2 or later of the Apache Sling Authentication Service module
Credit:
François Lajeunesse-Robert