1. Home
  2. CVE Database
  3. CVE-2017-15717
MEDIUM · 6.1

CVE-2017-15717

A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as v...

Vulnerability Description

A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0.

CVSS Score

6.1

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE

Affected Products

VendorProductVersions
ApacheSling Xss Protection Api<= 1.0.18
ApacheSling Xss Protection Api Compat1.1.0

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2017-15717?

CVE-2017-15717 is a vulnerability with a CVSS score of 6.1 (MEDIUM). A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as v...

How severe is CVE-2017-15717?

CVE-2017-15717 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-15717?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Sling Xss Protection Api, Apache Sling Xss Protection Api Compat.