Search criteria
12 vulnerabilities found for sling_cms by apache
FKIE_CVE-2023-22849
Vulnerability from fkie_nvd - Published: 2023-02-04 21:15 - Updated: 2025-03-25 19:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features.
Upgrade to Apache Sling App CMS >= 1.1.6
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://sling.apache.org/news.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://sling.apache.org/news.html | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:sling_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B61927D3-A2AC-4363-93B2-E3BBE0BF1A47",
"versionEndExcluding": "1.1.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An improper neutralization of input during web page generation (\u0027Cross-site Scripting\u0027) [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features.\n\nUpgrade to Apache Sling App CMS \u003e= 1.1.6\n"
}
],
"id": "CVE-2023-22849",
"lastModified": "2025-03-25T19:15:41.267",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-02-04T21:15:09.113",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://sling.apache.org/news.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://sling.apache.org/news.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-46769
Vulnerability from fkie_nvd - Published: 2023-01-09 11:15 - Updated: 2025-04-09 20:15
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature.
Upgrade to Apache Sling App CMS >= 1.1.4
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://sling.apache.org/news.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://sling.apache.org/news.html | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:sling_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7DC2CC7D-C127-4841-A5F3-A73CF3E02784",
"versionEndExcluding": "1.1.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An improper neutralization of input during web page generation (\u0027Cross-site Scripting\u0027) [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature.\n\nUpgrade to Apache Sling App CMS \u003e= 1.1.4 \n"
},
{
"lang": "es",
"value": "Una neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de la p\u00e1gina web (\u0027Cross-site Scripting\u0027) vulnerabilidad [CWE-79] en Sling App CMS versi\u00f3n 1.1.2 y anteriores puede permitir que un atacante remoto autenticado realice un cross-site scripting reflejado (XSS) ataque en la funci\u00f3n de grupo de sitios. Actualice a la aplicaci\u00f3n CMS Apache Sling \u0026gt;= 1.1.4"
}
],
"id": "CVE-2022-46769",
"lastModified": "2025-04-09T20:15:22.957",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-01-09T11:15:10.700",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://sling.apache.org/news.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://sling.apache.org/news.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-43670
Vulnerability from fkie_nvd - Published: 2022-11-02 13:15 - Updated: 2025-05-02 21:15
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management feature.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/11/02/8 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/o68l3l3crfxz107fr9dm74y8vg8kj2cs | Issue Tracking, Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/11/02/8 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/o68l3l3crfxz107fr9dm74y8vg8kj2cs | Issue Tracking, Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:sling_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "53B968DC-A761-4A1B-8583-C0171C42BD21",
"versionEndIncluding": "1.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An improper neutralization of input during web page generation (\u0027Cross-site Scripting\u0027) [CWE-79] vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management feature."
},
{
"lang": "es",
"value": "Una neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de la p\u00e1gina web (\u0027Cross-site Scripting\u0027) vulnerabilidad [CWE-79] en Sling App CMS versi\u00f3n 1.1.0 y anteriores puede permitir que un atacante remoto autenticado realice un ataque de Cross-Site Scripting (XSS) Reflejado en la funci\u00f3n de gesti\u00f3n de taxonom\u00eda."
}
],
"id": "CVE-2022-43670",
"lastModified": "2025-05-02T21:15:22.990",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-02T13:15:19.997",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/02/8"
},
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/o68l3l3crfxz107fr9dm74y8vg8kj2cs"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/02/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/o68l3l3crfxz107fr9dm74y8vg8kj2cs"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2020-1949
Vulnerability from fkie_nvd - Published: 2020-04-01 19:15 - Updated: 2024-11-21 05:11
Severity ?
Summary
Scripts in Sling CMS before 0.16.0 do not property escape the Sling Selector from URLs when generating navigational elements for the administrative consoles and are vulnerable to reflected XSS attacks.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://s.apache.org/CVE-2020-1949 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://s.apache.org/CVE-2020-1949 | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:sling_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC44660B-3E21-412D-A246-6B31F3321A1F",
"versionEndExcluding": "0.16.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Scripts in Sling CMS before 0.16.0 do not property escape the Sling Selector from URLs when generating navigational elements for the administrative consoles and are vulnerable to reflected XSS attacks."
},
{
"lang": "es",
"value": "Scripts en Sling CMS versiones anteriores a 0.16.0, no se escapan apropiadamente al Sling Selector a partir de las URL cuando se generan elementos de navegaci\u00f3n para las consolas administrativas y son vulnerables a los ataques de tipo XSS reflejados."
}
],
"id": "CVE-2020-1949",
"lastModified": "2024-11-21T05:11:42.970",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-04-01T19:15:14.610",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://s.apache.org/CVE-2020-1949"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://s.apache.org/CVE-2020-1949"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-22849 (GCVE-0-2023-22849)
Vulnerability from cvelistv5 – Published: 2023-02-04 20:37 – Updated: 2025-03-25 18:51
VLAI?
Title
Apache Sling App CMS: XSS in CMS Reference / UI Components
Summary
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features.
Upgrade to Apache Sling App CMS >= 1.1.6
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Sling App CMS |
Affected:
0 , < 1.1.6
(semver)
|
Credits
Apache Sling would like to thank Eugene Lim and Sng Jay Kai from GOVTECH for reporting this issue
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:20:30.836Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://sling.apache.org/news.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-22849",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-25T18:50:40.846082Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T18:51:46.346Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Sling App CMS",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.1.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Apache Sling would like to thank Eugene Lim and Sng Jay Kai from GOVTECH for reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper neutralization of input during web page generation (\u0027Cross-site Scripting\u0027) [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to Apache Sling App CMS \u0026gt;= 1.1.6\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "An improper neutralization of input during web page generation (\u0027Cross-site Scripting\u0027) [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features.\n\nUpgrade to Apache Sling App CMS \u003e= 1.1.6\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-04T20:37:05.831Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://sling.apache.org/news.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Sling App CMS: XSS in CMS Reference / UI Components",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-22849",
"datePublished": "2023-02-04T20:37:05.831Z",
"dateReserved": "2023-01-07T16:03:27.911Z",
"dateUpdated": "2025-03-25T18:51:46.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46769 (GCVE-0-2022-46769)
Vulnerability from cvelistv5 – Published: 2023-01-09 10:14 – Updated: 2025-04-09 19:26
VLAI?
Title
Apache Sling App CMS: XSS in CMS Site Group Detail
Summary
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature.
Upgrade to Apache Sling App CMS >= 1.1.4
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Sling App CMS |
Affected:
0 , < 1.1.4
(custom)
|
Credits
Apache Sling would like to thank Sam Bagheri for reporting this issue
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:39:38.519Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://sling.apache.org/news.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-46769",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-09T19:26:32.081207Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T19:26:54.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Sling App CMS",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.1.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Apache Sling would like to thank Sam Bagheri for reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper neutralization of input during web page generation (\u0027Cross-site Scripting\u0027) [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to Apache Sling App CMS \u0026gt;= 1.1.4\u003c/span\u003e \u003cbr\u003e"
}
],
"value": "An improper neutralization of input during web page generation (\u0027Cross-site Scripting\u0027) [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature.\n\nUpgrade to Apache Sling App CMS \u003e= 1.1.4 \n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-09T10:14:56.823Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://sling.apache.org/news.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Sling App CMS: XSS in CMS Site Group Detail",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-46769",
"datePublished": "2023-01-09T10:14:56.823Z",
"dateReserved": "2022-12-07T19:05:24.777Z",
"dateUpdated": "2025-04-09T19:26:54.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43670 (GCVE-0-2022-43670)
Vulnerability from cvelistv5 – Published: 2022-11-02 00:00 – Updated: 2025-05-02 20:28
VLAI?
Title
XSS in Sling CMS Reference App Taxonomy Path
Summary
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management feature.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Sling App CMS |
Affected:
unspecified , < 1.1.2
(custom)
|
Credits
Apache Sling would like to thank QSec-Team for reporting this issue
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:05.707Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/o68l3l3crfxz107fr9dm74y8vg8kj2cs"
},
{
"name": "[oss-security] 20221102 CVE-2022-43670: Apache Sling App CMS: XSS in Sling CMS Reference App Taxonomy Path",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/02/8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43670",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-02T20:28:24.725346Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-02T20:28:50.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Apache Sling App CMS",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.1.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Sling would like to thank QSec-Team for reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "An improper neutralization of input during web page generation (\u0027Cross-site Scripting\u0027) [CWE-79] vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management feature."
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-02T00:00:00.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/o68l3l3crfxz107fr9dm74y8vg8kj2cs"
},
{
"name": "[oss-security] 20221102 CVE-2022-43670: Apache Sling App CMS: XSS in Sling CMS Reference App Taxonomy Path",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/02/8"
}
],
"source": {
"defect": [
"SLING-11622"
],
"discovery": "UNKNOWN"
},
"title": "XSS in Sling CMS Reference App Taxonomy Path",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to Apache Sling App CMS \u003e= 1.1.2"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-43670",
"datePublished": "2022-11-02T00:00:00.000Z",
"dateReserved": "2022-10-22T00:00:00.000Z",
"dateUpdated": "2025-05-02T20:28:50.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-1949 (GCVE-0-2020-1949)
Vulnerability from cvelistv5 – Published: 2020-04-01 18:25 – Updated: 2024-08-04 06:53
VLAI?
Summary
Scripts in Sling CMS before 0.16.0 do not property escape the Sling Selector from URLs when generating navigational elements for the administrative consoles and are vulnerable to reflected XSS attacks.
Severity ?
No CVSS data available.
CWE
- Improper Neutralization of Input During Web Page Generation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache Sling |
Affected:
Apache Sling CMS 0.14.0 and previous releases
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:53:59.928Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://s.apache.org/CVE-2020-1949"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Sling",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Sling CMS 0.14.0 and previous releases"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Scripts in Sling CMS before 0.16.0 do not property escape the Sling Selector from URLs when generating navigational elements for the administrative consoles and are vulnerable to reflected XSS attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Neutralization of Input During Web Page Generation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-01T18:25:32",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://s.apache.org/CVE-2020-1949"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-1949",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Sling",
"version": {
"version_data": [
{
"version_value": "Apache Sling CMS 0.14.0 and previous releases"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Scripts in Sling CMS before 0.16.0 do not property escape the Sling Selector from URLs when generating navigational elements for the administrative consoles and are vulnerable to reflected XSS attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Input During Web Page Generation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://s.apache.org/CVE-2020-1949",
"refsource": "MISC",
"url": "https://s.apache.org/CVE-2020-1949"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-1949",
"datePublished": "2020-04-01T18:25:32",
"dateReserved": "2019-12-02T00:00:00",
"dateUpdated": "2024-08-04T06:53:59.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22849 (GCVE-0-2023-22849)
Vulnerability from nvd – Published: 2023-02-04 20:37 – Updated: 2025-03-25 18:51
VLAI?
Title
Apache Sling App CMS: XSS in CMS Reference / UI Components
Summary
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features.
Upgrade to Apache Sling App CMS >= 1.1.6
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Sling App CMS |
Affected:
0 , < 1.1.6
(semver)
|
Credits
Apache Sling would like to thank Eugene Lim and Sng Jay Kai from GOVTECH for reporting this issue
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:20:30.836Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://sling.apache.org/news.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-22849",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-25T18:50:40.846082Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T18:51:46.346Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Sling App CMS",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.1.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Apache Sling would like to thank Eugene Lim and Sng Jay Kai from GOVTECH for reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper neutralization of input during web page generation (\u0027Cross-site Scripting\u0027) [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to Apache Sling App CMS \u0026gt;= 1.1.6\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "An improper neutralization of input during web page generation (\u0027Cross-site Scripting\u0027) [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features.\n\nUpgrade to Apache Sling App CMS \u003e= 1.1.6\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-04T20:37:05.831Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://sling.apache.org/news.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Sling App CMS: XSS in CMS Reference / UI Components",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-22849",
"datePublished": "2023-02-04T20:37:05.831Z",
"dateReserved": "2023-01-07T16:03:27.911Z",
"dateUpdated": "2025-03-25T18:51:46.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46769 (GCVE-0-2022-46769)
Vulnerability from nvd – Published: 2023-01-09 10:14 – Updated: 2025-04-09 19:26
VLAI?
Title
Apache Sling App CMS: XSS in CMS Site Group Detail
Summary
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature.
Upgrade to Apache Sling App CMS >= 1.1.4
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Sling App CMS |
Affected:
0 , < 1.1.4
(custom)
|
Credits
Apache Sling would like to thank Sam Bagheri for reporting this issue
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:39:38.519Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://sling.apache.org/news.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-46769",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-09T19:26:32.081207Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T19:26:54.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Sling App CMS",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.1.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Apache Sling would like to thank Sam Bagheri for reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper neutralization of input during web page generation (\u0027Cross-site Scripting\u0027) [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to Apache Sling App CMS \u0026gt;= 1.1.4\u003c/span\u003e \u003cbr\u003e"
}
],
"value": "An improper neutralization of input during web page generation (\u0027Cross-site Scripting\u0027) [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature.\n\nUpgrade to Apache Sling App CMS \u003e= 1.1.4 \n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-09T10:14:56.823Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://sling.apache.org/news.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Sling App CMS: XSS in CMS Site Group Detail",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-46769",
"datePublished": "2023-01-09T10:14:56.823Z",
"dateReserved": "2022-12-07T19:05:24.777Z",
"dateUpdated": "2025-04-09T19:26:54.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43670 (GCVE-0-2022-43670)
Vulnerability from nvd – Published: 2022-11-02 00:00 – Updated: 2025-05-02 20:28
VLAI?
Title
XSS in Sling CMS Reference App Taxonomy Path
Summary
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management feature.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Sling App CMS |
Affected:
unspecified , < 1.1.2
(custom)
|
Credits
Apache Sling would like to thank QSec-Team for reporting this issue
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:05.707Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/o68l3l3crfxz107fr9dm74y8vg8kj2cs"
},
{
"name": "[oss-security] 20221102 CVE-2022-43670: Apache Sling App CMS: XSS in Sling CMS Reference App Taxonomy Path",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/02/8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43670",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-02T20:28:24.725346Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-02T20:28:50.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Apache Sling App CMS",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.1.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Sling would like to thank QSec-Team for reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "An improper neutralization of input during web page generation (\u0027Cross-site Scripting\u0027) [CWE-79] vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management feature."
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-02T00:00:00.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/o68l3l3crfxz107fr9dm74y8vg8kj2cs"
},
{
"name": "[oss-security] 20221102 CVE-2022-43670: Apache Sling App CMS: XSS in Sling CMS Reference App Taxonomy Path",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/02/8"
}
],
"source": {
"defect": [
"SLING-11622"
],
"discovery": "UNKNOWN"
},
"title": "XSS in Sling CMS Reference App Taxonomy Path",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to Apache Sling App CMS \u003e= 1.1.2"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-43670",
"datePublished": "2022-11-02T00:00:00.000Z",
"dateReserved": "2022-10-22T00:00:00.000Z",
"dateUpdated": "2025-05-02T20:28:50.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-1949 (GCVE-0-2020-1949)
Vulnerability from nvd – Published: 2020-04-01 18:25 – Updated: 2024-08-04 06:53
VLAI?
Summary
Scripts in Sling CMS before 0.16.0 do not property escape the Sling Selector from URLs when generating navigational elements for the administrative consoles and are vulnerable to reflected XSS attacks.
Severity ?
No CVSS data available.
CWE
- Improper Neutralization of Input During Web Page Generation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache Sling |
Affected:
Apache Sling CMS 0.14.0 and previous releases
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:53:59.928Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://s.apache.org/CVE-2020-1949"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Sling",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Sling CMS 0.14.0 and previous releases"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Scripts in Sling CMS before 0.16.0 do not property escape the Sling Selector from URLs when generating navigational elements for the administrative consoles and are vulnerable to reflected XSS attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Neutralization of Input During Web Page Generation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-01T18:25:32",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://s.apache.org/CVE-2020-1949"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-1949",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Sling",
"version": {
"version_data": [
{
"version_value": "Apache Sling CMS 0.14.0 and previous releases"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Scripts in Sling CMS before 0.16.0 do not property escape the Sling Selector from URLs when generating navigational elements for the administrative consoles and are vulnerable to reflected XSS attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Input During Web Page Generation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://s.apache.org/CVE-2020-1949",
"refsource": "MISC",
"url": "https://s.apache.org/CVE-2020-1949"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-1949",
"datePublished": "2020-04-01T18:25:32",
"dateReserved": "2019-12-02T00:00:00",
"dateUpdated": "2024-08-04T06:53:59.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}