org.apache.sling:org.apache.sling.xss@1.0.6 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.sling:org.apache.sling.xss package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

org.apache.sling:org.apache.sling.xss is a package for providing XSS protection based on the OWASP AntiSamy and OWASP Java Encoder libraries.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). A flaw in the way URLs are escaped and encoded allows special crafted URLs to pass as valid, although they carry XSS payloads.

How to fix Cross-site Scripting (XSS)?

Upgrade org.apache.sling:org.apache.sling.xss to version 2.0.4 or higher.

[,2.0.4)
  • C
XML External Entity (XXE) Injection

org.apache.sling:org.apache.sling.xss is a framework for RESTful web-applications based on an extensible content tree.

Affected versions of the package are vulnerable to XML External Entity (XXE) Injection. In the XSS Protection API module before 1.0.12 in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts which use this method to validate user input, potentially allowing an attacker to read sensitive data on the filesystem, perform same-site-request-forgery (SSRF), port-scanning behind the firewall or DoS the application.

How to fix XML External Entity (XXE) Injection?

Upgrade org.apache.sling:org.apache.sling.xss to version 1.0.12 or higher.

[,1.0.12)
  • M
Cross-site Scripting (XSS)

org.apache.sling:org.apache.sling.xss is a framework for RESTful web-applications based on an extensible content tree.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.

How to fix Cross-site Scripting (XSS)?

Upgrade org.apache.sling:org.apache.sling.xss to version 1.0.12 or higher.

[,1.0.12)