CVE-2017-9802

6.1MEDIUM

Key Information:

Vendor: Apache
Status: Sling Servlets Post
Vendor: CVE Published:; 14 August 2017

Summary

The Javascript method Sling.evalString() in Apache Sling Servlets Post before 2.3.22 uses the javascript 'eval' function to parse input strings, which allows for XSS attacks by passing specially crafted input strings.

References

http://www.securityfocus.com/bid/100284

vdb-entryx_refsource_BID

http://www.securityfocus.com/archive/1/541024/100/0/threaded

mailing-listx_refsource_BUGTRAQ

http://packetstormsecurity.com/files/143758/Apache-Sling-...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Aug 14, 2017
Vulnerability Reserved
Jun 21, 2017