CVE-2016-5394

Summary

In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Slingprior to 1.0.12affected

Weaknesses

  • n/a

ADP Enrichment

CVE Program Container

Additional References

References