CVE-2016-6798

CRITICAL

Apache Sling < 1.0.10 - XXE

Title source: rule

Description

In the XSS Protection API module before 1.0.12 in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts which use this method to validate user input, potentially allowing an attacker to read sensitive data on the filesystem, perform same-site-request-forgery (SSRF), port-scanning behind the firewall or DoS the application.

Exploits (1)

nomisec STUB

by tafamace · poc

https://github.com/tafamace/CVE-2016-6798

View Code ZIP pw:eip

References (2)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/99873

[Mailing List] https://lists.apache.org/thread.html/b72c3a511592ec70729b3ec2d29302b6ce87bbeab62d4745617a6bd0%40%3Cdev.sling.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.0134

EPSS Percentile 80.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-611

Status published

Products (4)

apache/sling < 1.0.10

Apache Software Foundation/Apache Sling prior to 1.0.12

org.apache.sling/org.apache.sling.xss 0 - 1.0.12Maven

org.apache.sling/org.apache.sling.xss.compat 0 - 1.1.0Maven

Published Jul 19, 2017

Tracked Since Feb 18, 2026