Cross-Site Scripting Vulnerability in Apache Sling Servlets Post
CVE-2017-9802

6.1MEDIUM

Key Information:

Vendor

Apache
Status
Sling Servlets Post
Vendor
CVE Published:
14 August 2017

What is CVE-2017-9802?

The Sling.evalString() Javascript method in Apache Sling Servlets Post versions prior to 2.3.22 improperly handles user input due to the use of the 'eval' function. This oversight can be exploited to execute arbitrary Javascript code in the user's browser, potentially leading to unauthorized actions or data theft. Attackers can craft specific input strings to trigger this vulnerability, impacting the security integrity of applications built on Apache Sling.

References

http://www.securityfocus.com/bid/100284
vdb-entryx_refsource_BID
http://www.securityfocus.com/archive/1/541024/100/0/threaded
mailing-listx_refsource_BUGTRAQ
http://packetstormsecurity.com/files/143758/Apache-Sling-...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.