VYPR

Sling

by Apache

Source repositories

CVEs (11)

  • CVE-2017-15700HigDec 18, 2017
    risk 0.57cvss 8.8epss 0.02

    A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method in Apache Sling Authentication Service 1.4.0 allows an attacker, through the Sling login form, to trick a victim to send over their credentials.

  • CVE-2016-6798CriJul 19, 2017
    risk 0.57cvss 9.8epss 0.04

    In the XSS Protection API module before 1.0.12 in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts which use this method to validate user input, potentially allowing an attacker to…

  • CVE-2016-0956HigFeb 10, 2016
    risk 0.55cvss 7.5epss 0.46

    The Servlets Post component 2.3.6 in Apache Sling, as used in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0, allows remote attackers to obtain sensitive information via unspecified vectors.

  • CVE-2012-3353HigJan 9, 2018
    risk 0.49cvss 7.5epss 0.03

    The Apache Sling JCR ContentLoader 2.1.4 XmlReader used in the Sling JCR content loader module makes it possible to import arbitrary files in the content repository, including local files, causing potential information leaks. Users should upgrade to version 2.1.6 of the JCR…

  • CVE-2017-15717MedJan 10, 2018
    risk 0.40cvss 6.1epss 0.03

    A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling…

  • CVE-2016-5394MedJul 19, 2017
    risk 0.33cvss 6.1epss 0.03

    In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.

  • CVE-2015-2944Jun 2, 2015
    risk 0.01cvss epss 0.06

    Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2)…

  • CVE-2022-45064Apr 13, 2023
    risk 0.00cvss epss 0.01

    The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level. The vulnerability is exploitable by an attacker that is able to include a resource with specific…

  • CVE-2023-25621Feb 23, 2023
    risk 0.00cvss epss 0.01

    Privilege Escalation vulnerability in Apache Software Foundation Apache Sling. Any content author is able to create i18n dictionaries in the repository in a location the author has write access to. As these translations are used across the whole product, it allows an author to…

  • CVE-2022-32549Jun 22, 2022
    risk 0.00cvss epss 0.02

    Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files.

  • CVE-2013-4390Oct 24, 2013
    risk 0.00cvss epss 0.03

    Open redirect vulnerability in the AbstractAuthenticationFormServlet in the Auth Core (org.apache.sling.auth.core) bundle before 1.1.4 in Apache Sling allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the resource…