Skip to main content

Sling

4 CVEs product

Monthly

CVE-2016-6798 Maven CRITICAL PATCH Act Now

In the XSS Protection API module before 1.0.12 in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XSS Apache SSRF XXE Information Disclosure +1
NVD
CVSS 3.0
9.8
EPSS
1.3%
CVE-2016-5394 Maven MEDIUM PATCH This Month

In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Apache Sling
NVD
CVSS 3.1
6.1
EPSS
1.1%
CVE-2016-0956 Maven HIGH POC PATCH THREAT Act Now

The Servlets Post component 2.3.6 in Apache Sling, as used in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0, allows remote attackers to obtain sensitive information via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.3%.

Adobe Information Disclosure Apache Sling Experience Manager
NVD Exploit-DB
CVSS 3.0
7.5
EPSS
13.3%
CVE-2013-4390 Maven MEDIUM PATCH This Month

Open redirect vulnerability in the AbstractAuthenticationFormServlet in the Auth Core (org.apache.sling.auth.core) bundle before 1.1.4 in Apache Sling allows remote attackers to redirect users to. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Apache Open Redirect XSS Sling Sling Auth Core Component
NVD
CVSS 2.0
5.8
EPSS
1.3%
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

In the XSS Protection API module before 1.0.12 in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XSS Apache SSRF +3
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Apache Sling
NVD
EPSS 13% CVSS 7.5
HIGH POC PATCH THREAT Act Now

The Servlets Post component 2.3.6 in Apache Sling, as used in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0, allows remote attackers to obtain sensitive information via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.3%.

Adobe Information Disclosure Apache +2
NVD Exploit-DB
EPSS 1% CVSS 5.8
MEDIUM PATCH This Month

Open redirect vulnerability in the AbstractAuthenticationFormServlet in the Auth Core (org.apache.sling.auth.core) bundle before 1.1.4 in Apache Sling allows remote attackers to redirect users to. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Apache Open Redirect XSS +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy