Apache Sling Engine: Include-based XSS
CVE-2022-45064

8HIGH

Key Information:

Vendor: Apache
Status: Apache Sling Engine
Vendor: CVE Published:; 13 April 2023

Summary

A notable vulnerability exists in the Apache Sling Engine where the SlingRequestDispatcher fails to correctly implement the RequestDispatcher API. This flaw creates opportunities for a generic type of include-based cross-site scripting attacks at the Apache Sling level. Attackers can exploit this vulnerability by including a resource with specific content-types and controlling the include path. This unauthorized access can lead to serious consequences, such as privilege escalation to administrative roles. To mitigate this risk, it is crucial to update to Apache Sling Engine version 2.14.0 or later and to enable the 'Check Content-Type overrides' configuration option.

Affected Version(s)

Apache Sling Engine < 2.14.0

References

https://lists.apache.org/thread/hhp611hltby3whk03vx2mv7cm...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/04/18/6

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 13, 2023
Vulnerability Reserved
Nov 9, 2022

Credit

Lars Krapf