CVE-2017-9802

MEDIUM

Apache Sling Servlets Post <2.3.22 - XSS

Title source: llm

Description

The Javascript method Sling.evalString() in Apache Sling Servlets Post before 2.3.22 uses the javascript 'eval' function to parse input strings, which allows for XSS attacks by passing specially crafted input strings.

References (5)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/100284

[Issue Tracking, Vendor Advisory] https://issues.apache.org/jira/browse/SLING-7041

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/541024/100/0/threaded

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/143758/Apache-Sling-Servlets-Post-2.3.20-Cross-Site-Scripting.html

[Mailing List] https://lists.apache.org/thread.html/2f4b8333e44c6e7e0b00933bd4204ce64829952f60dbb6814f2cdf91%40%3Cdev.sling.apache.org%3E

Scores

CVSS v3 6.1

EPSS 0.0058

EPSS Percentile 68.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (3)

apache/sling_servlets_post < 2.3.20

org.apache.sling/org.apache.sling.servlets.post < 2.3.22Maven

n/a/n/a

Published Aug 14, 2017

Tracked Since Feb 18, 2026