org.apache.sling:org.apache.sling.engine@2.6.10 vulnerabilities

  • latest version

    2.16.0

  • latest non vulnerable version

  • first published

    15 years ago

  • latest version published

    1 months ago

  • licenses detected

  • package manager

  • Direct Vulnerabilities

    Known vulnerabilities in the org.apache.sling:org.apache.sling.engine package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Cross-site Scripting (XSS)

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) such that the SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API. The vulnerability is exploitable by an attacker that is able to include a resource with specific content-type and control the include path (i.e. writing content). The impact of a successful attack is privilege escalation to administrative power.

    Note: Users should enable the Check Content-Type overrides configuration option after upgrading to the fixed version.

    How to fix Cross-site Scripting (XSS)?

    Upgrade org.apache.sling:org.apache.sling.engine to version 2.14.0 or higher.

    [,2.14.0)