CVE-2016-5394
N/A
N/A
Summary
In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache Sling | prior to 1.0.12 | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://lists.apache.org/thread.html/332166037a54b97cf41e2b616aaed38439de94b19b204841478e4525%40%3Cdev.sling.apache.org%3E
- http://www.securityfocus.com/bid/99870
References
- https://lists.apache.org/thread.html/332166037a54b97cf41e2b616aaed38439de94b19b204841478e4525%40%3Cdev.sling.apache.org%3E
- http://www.securityfocus.com/bid/99870
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.