Apache Sling XSS Protection API < 1.0.12 - Cross-Site Scripting via encodeForJSString Method
Title source: llmExploitation Summary
EIP tracks 2 public exploits for CVE-2016-5394. PoCs published by shoucheng3, epicosy.
AI-analyzed exploit summary This repository contains the source code for the Apache Sling XSS Bundle, which includes the vulnerable code for CVE-2016-5394. The code demonstrates the XSS protection mechanisms and their implementation, but does not include a functional exploit or PoC.
Description
In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.
Exploits (2)
This repository contains the source code for the Apache Sling XSS Bundle, which includes the vulnerable code for CVE-2016-5394. The code demonstrates the XSS protection mechanisms and their implementation, but does not include a functional exploit or PoC.
The repository contains only API source files and a Travis CI configuration, with no exploit code or technical analysis related to CVE-2016-5394. It appears to be a partial or incomplete snapshot of the Apache Sling project.
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N