CVE-2016-5394

MEDIUM

Apache Sling < 1.0.12 - XSS

Title source: rule

Description

In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.

Exploits (2)

nomisec STUB

by epicosy · poc

https://github.com/epicosy/VUL4J-23

View Code ZIP pw:eip

nomisec WRITEUP

by shoucheng3 · poc

https://github.com/shoucheng3/apache__sling-org-apache-sling-xss_CVE-2016-5394_1-0-8

View Code ZIP pw:eip

References (2)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/99870

[Mailing List] https://lists.apache.org/thread.html/332166037a54b97cf41e2b616aaed38439de94b19b204841478e4525%40%3Cdev.sling.apache.org%3E

Scores

CVSS v3 6.1

EPSS 0.0109

EPSS Percentile 77.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (4)

apache/sling < 1.0.12

org.apache.sling/org.apache.sling.xss < 1.0.12Maven

org.apache.sling/org.apache.sling.xss.compat < 1.1.0Maven

Apache Software Foundation/Apache Sling < prior to 1.0.12

Published Jul 19, 2017

Tracked Since Feb 18, 2026