CVE-2017-15717: Insufficient XSS protection for HREF attributes in Apache Sling XSS Protection API

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE-2017-15717: Insufficient XSS protection for HREF attributes in Apache Sling XSS Protection API

Radu Cotescu-3
Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Sling XSS Protection API 1.0.4 to 1.0.18,
Apache Sling XSS Protection API Compat 1.1.0,
Apache Sling XSS Protection API 2.0.0

Description:
A flaw in the way URLs are escaped and encoded in the
org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and
org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted
URLs to pass as valid,
although they carry XSS payloads.

Mitigation:
Users should upgrade to version 2.0.4 or later of the Apache Sling XSS
Protection
API module.