CVE-2017-15717

Summary

A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache SlingXSS Protection API 1.0.4 to 1.0.18affected
Apache Software FoundationApache SlingXSS Protection API Compat 1.1.0affected
Apache Software FoundationApache SlingXSS Protection API 2.0.0affected

Weaknesses

  • Insufficient XSS protection

ADP Enrichment

CVE Program Container

Additional References

References