CVE-2017-15717

Vulnerability

A flaw in the URL escaping and encoding logic within org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows specially crafted URLs to pass validation while still carrying XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0, and Apache Sling XSS Protection API 2.0.0 [1].

Exploitation

An attacker can craft a malicious URL that bypasses the getValidHref and isValidHref checks. The attacker does not require any special network position or authentication; the vulnerability is triggered when a user or application processes an untrusted URL through the affected API functions. The exact steps involve supplying a URL with malformed encoding that the sanitization routines fail to parse correctly, resulting in a valid href that contains embedded JavaScript or other XSS payloads.

Impact

Successful exploitation allows an attacker to perform cross-site scripting (XSS) attacks. When the crafted URL is rendered in a browser context (for example, as a link or redirect target), it can execute arbitrary JavaScript in the victim's session, leading to information disclosure, session hijacking, or other client-side attacks. The impact is limited to the client-side context where the URL is used, but can compromise the confidentiality and integrity of user data within that session.

Mitigation

Users should upgrade to Apache Sling XSS Protection API version 1.0.20 or later, Apache Sling XSS Protection API Compat version 1.1.2 or later, and Apache Sling XSS Protection API 2.0.2 or later, as these releases contain the fix [1]. No workarounds are documented in the available references. If an upgrade is not immediately possible, avoid processing untrusted URLs through the affected API functions.