CVE-2023-22849

2023-02-0421:15:09

Google

osv.dev

cross-site scripting

sling app cms

upgrade

apache

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.002 Low

EPSS

Percentile

61.0%

JSON

An improper neutralization of input during web page generation (‘Cross-site Scripting’) [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features.

Upgrade to Apache Sling App CMS >= 1.1.6

CPENameOperatorVersion
sling-org-apache-sling-app-cmseqorg.apache.sling.cms-0.14.0
sling-org-apache-sling-app-cmseqorg.apache.sling.cms-1.0.2
sling-org-apache-sling-app-cmseqorg.apache.sling.cms-0.16.0
sling-org-apache-sling-app-cmseqorg.apache.sling.cms-0.16.2
sling-org-apache-sling-app-cmseqorg.apache.sling.cms-1.0.4
sling-org-apache-sling-app-cmseqorg.apache.sling.cms-0.12.0
sling-org-apache-sling-app-cmseqorg.apache.sling.cms-1.1.4
sling-org-apache-sling-app-cmseqorg.apache.sling.cms-0.10.0
sling-org-apache-sling-app-cmseqorg.apache.sling.cms-0.11.0
sling-org-apache-sling-app-cmseqorg.apache.sling.cms-1.1.0

Name	Operator	Version
sling-org-apache-sling-app-cms	eq	org.apache.sling.cms-0.14.0
sling-org-apache-sling-app-cms	eq	org.apache.sling.cms-1.0.2
sling-org-apache-sling-app-cms	eq	org.apache.sling.cms-0.16.0
sling-org-apache-sling-app-cms	eq	org.apache.sling.cms-0.16.2
sling-org-apache-sling-app-cms	eq	org.apache.sling.cms-1.0.4
sling-org-apache-sling-app-cms	eq	org.apache.sling.cms-0.12.0
sling-org-apache-sling-app-cms	eq	org.apache.sling.cms-1.1.4
sling-org-apache-sling-app-cms	eq	org.apache.sling.cms-0.10.0
sling-org-apache-sling-app-cms	eq	org.apache.sling.cms-0.11.0
sling-org-apache-sling-app-cms	eq	org.apache.sling.cms-1.1.0