Apache Sling Sevlets Post version 2.3.20 suffers from a cross site scripting vulnerability.
f0ee7ba82aae48c70d716c3e9f53914cb43fd7086e910bda5288da6658d5a29f
CVE-2017-9802: Apache Sling XSS vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Sling Servlets Post 2.3.20
Description:
The Javascript method Sling.evalString() uses the javascript `eval`
function to parse input strings, which allows for XSS attacks by
passing specially crafted input strings.
Mitigation:
Users should upgrade to version 2.3.22 or later of the Sling Servlets
Post bundle.
Credit: This issue was discovered and reported by Dmitriev V.
Daniil Dmitriev V. Daniil <sgoesw@gmail.com>.
References:
- https://issues.apache.org/jira/browse/SLING-7041
- https://sling.apache.org/project-information/security.html
Robert Munteanu