Search criteria
3 vulnerabilities found for sling_xss_protection_api by apache
FKIE_CVE-2017-15717
Vulnerability from fkie_nvd - Published: 2018-01-10 14:29 - Updated: 2024-11-21 03:15
Severity ?
Summary
A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://s.apache.org/CVE-2017-15717 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://s.apache.org/CVE-2017-15717 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | sling_xss_protection_api | * | |
| apache | sling_xss_protection_api | 2.0.0 | |
| apache | sling_xss_protection_api_compat | 1.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:sling_xss_protection_api:*:*:*:*:*:*:*:*",
"matchCriteriaId": "956A4CBC-C078-44B0-8280-28E1B7F65D5A",
"versionEndIncluding": "1.0.18",
"versionStartExcluding": "1.0.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:sling_xss_protection_api:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8CE953DD-F41F-489C-AA69-038EE9A64338",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:sling_xss_protection_api_compat:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "42CF40B5-0046-4F0B-B4CE-74FDEF2D947A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0."
},
{
"lang": "es",
"value": "Un defecto en la manera en la que se escapan y codifican las URL en org.apache.sling.xss.impl.XSSAPIImpl#getValidHref y org.apache.sling.xss.impl.XSSFilterImpl#isValidHref permite que se pasen URL especialmente manipuladas como v\u00e1lidas, aunque porten cargas \u00fatiles XSS. Las versiones afectadas son Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 y Apache Sling XSS Protection API 2.0.0."
}
],
"id": "CVE-2017-15717",
"lastModified": "2024-11-21T03:15:04.493",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-01-10T14:29:00.263",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://s.apache.org/CVE-2017-15717"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://s.apache.org/CVE-2017-15717"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2017-15717 (GCVE-0-2017-15717)
Vulnerability from cvelistv5 – Published: 2018-01-10 14:00 – Updated: 2024-09-17 01:06
VLAI?
Summary
A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0.
Severity ?
No CVSS data available.
CWE
- Insufficient XSS protection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Sling |
Affected:
XSS Protection API 1.0.4 to 1.0.18
Affected: XSS Protection API Compat 1.1.0 Affected: XSS Protection API 2.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:04:49.291Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[users] 20180110 CVE-2017-15717: Insufficient XSS protection for HREF attributes in Apache Sling XSS Protection API",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://s.apache.org/CVE-2017-15717"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Sling",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "XSS Protection API 1.0.4 to 1.0.18"
},
{
"status": "affected",
"version": "XSS Protection API Compat 1.1.0"
},
{
"status": "affected",
"version": "XSS Protection API 2.0.0"
}
]
}
],
"datePublic": "2018-01-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient XSS protection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-10T13:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[users] 20180110 CVE-2017-15717: Insufficient XSS protection for HREF attributes in Apache Sling XSS Protection API",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://s.apache.org/CVE-2017-15717"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-01-10T00:00:00",
"ID": "CVE-2017-15717",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Sling",
"version": {
"version_data": [
{
"version_value": "XSS Protection API 1.0.4 to 1.0.18"
},
{
"version_value": "XSS Protection API Compat 1.1.0"
},
{
"version_value": "XSS Protection API 2.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insufficient XSS protection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[users] 20180110 CVE-2017-15717: Insufficient XSS protection for HREF attributes in Apache Sling XSS Protection API",
"refsource": "MLIST",
"url": "https://s.apache.org/CVE-2017-15717"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-15717",
"datePublished": "2018-01-10T14:00:00Z",
"dateReserved": "2017-10-21T00:00:00",
"dateUpdated": "2024-09-17T01:06:14.724Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-15717 (GCVE-0-2017-15717)
Vulnerability from nvd – Published: 2018-01-10 14:00 – Updated: 2024-09-17 01:06
VLAI?
Summary
A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0.
Severity ?
No CVSS data available.
CWE
- Insufficient XSS protection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Sling |
Affected:
XSS Protection API 1.0.4 to 1.0.18
Affected: XSS Protection API Compat 1.1.0 Affected: XSS Protection API 2.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:04:49.291Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[users] 20180110 CVE-2017-15717: Insufficient XSS protection for HREF attributes in Apache Sling XSS Protection API",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://s.apache.org/CVE-2017-15717"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Sling",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "XSS Protection API 1.0.4 to 1.0.18"
},
{
"status": "affected",
"version": "XSS Protection API Compat 1.1.0"
},
{
"status": "affected",
"version": "XSS Protection API 2.0.0"
}
]
}
],
"datePublic": "2018-01-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient XSS protection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-10T13:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[users] 20180110 CVE-2017-15717: Insufficient XSS protection for HREF attributes in Apache Sling XSS Protection API",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://s.apache.org/CVE-2017-15717"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-01-10T00:00:00",
"ID": "CVE-2017-15717",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Sling",
"version": {
"version_data": [
{
"version_value": "XSS Protection API 1.0.4 to 1.0.18"
},
{
"version_value": "XSS Protection API Compat 1.1.0"
},
{
"version_value": "XSS Protection API 2.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insufficient XSS protection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[users] 20180110 CVE-2017-15717: Insufficient XSS protection for HREF attributes in Apache Sling XSS Protection API",
"refsource": "MLIST",
"url": "https://s.apache.org/CVE-2017-15717"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-15717",
"datePublished": "2018-01-10T14:00:00Z",
"dateReserved": "2017-10-21T00:00:00",
"dateUpdated": "2024-09-17T01:06:14.724Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}