Apache Sling App CMS: XSS in CMS Reference / UI Components
CVE-2023-22849

6.1MEDIUM

Key Information:

Vendor: Apache
Status: Apache Sling App CMS
Vendor: CVE Published:; 4 February 2023

Summary

An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features.

Upgrade to Apache Sling App CMS >= 1.1.6

Affected Version(s)

Apache Sling App CMS 0 < 1.1.6

References

https://sling.apache.org/news.html

vendor-advisory

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 4, 2023
Vulnerability Reserved
Jan 7, 2023

Credit

Apache Sling would like to thank Eugene Lim and Sng Jay Kai from GOVTECH for reporting this issue