CVE-2017-15717
Description
A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0.
Risk Information
Base Score
6.1
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score
Exploitation Probability
1.185
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2017-15717 are fixed in Apache-org.apache.sling.xss 2.0.4 | Windows |
| Vulnerabilities CVE-2017-15717 are affected in Apache-org.apache.sling.xss.compat 1.1.0 | Windows |
| Vulnerabilities CVE-2017-15717 are fixed in Apache-org.apache.sling.xss for Linux 2.0.4 | Linux |
| Vulnerabilities CVE-2017-15717 are affected in Apache-org.apache.sling.xss.compat for Linux 1.1.0 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234