CVE-2022-45064

HIGH

Apache Sling Engine < 2.14.0 - Cross-Site Scripting via RequestDispatcher Include

Title source: llm

Description

The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level. The vulnerability is exploitable by an attacker that is able to include a resource with specific content-type and control the include path (i.e. writing content). The impact of a successful attack is privilege escalation to administrative power. Please update to Apache Sling Engine >= 2.14.0 and enable the "Check Content-Type overrides" configuration option.

References (2)

Core 2

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2023/04/18/6

Mailing List, Vendor Advisory vendor-advisory

https://lists.apache.org/thread/hhp611hltby3whk03vx2mv7cmy3vs0ok

Scores

CVSS v3 8.0

EPSS 0.0509

EPSS Percentile 89.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-79

Status published

Products (2)

apache/apache_sling_engine < 2.14.0

org.apache.sling/org.apache.sling.engine 0 - 2.14.0Maven

Published Apr 13, 2023

Tracked Since Feb 18, 2026