Vulnerability Description
The Javascript method Sling.evalString() in Apache Sling Servlets Post before 2.3.22 uses the javascript 'eval' function to parse input strings, which allows for XSS attacks by passing specially crafted input strings.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Sling Servlets Post | <= 2.3.20 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/143758/Apache-Sling-Servlets-Post-2.3.20-Cr
- http://www.securityfocus.com/archive/1/541024/100/0/threaded
- http://www.securityfocus.com/bid/100284Third Party AdvisoryVDB Entry
- https://issues.apache.org/jira/browse/SLING-7041Issue TrackingVendor Advisory
- https://lists.apache.org/thread.html/2f4b8333e44c6e7e0b00933bd4204ce64829952f60d
- http://packetstormsecurity.com/files/143758/Apache-Sling-Servlets-Post-2.3.20-Cr
- http://www.securityfocus.com/archive/1/541024/100/0/threaded
- http://www.securityfocus.com/bid/100284Third Party AdvisoryVDB Entry
- https://issues.apache.org/jira/browse/SLING-7041Issue TrackingVendor Advisory
- https://lists.apache.org/thread.html/2f4b8333e44c6e7e0b00933bd4204ce64829952f60d
FAQ
What is CVE-2017-9802?
CVE-2017-9802 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The Javascript method Sling.evalString() in Apache Sling Servlets Post before 2.3.22 uses the javascript 'eval' function to parse input strings, which allows for XSS attacks by passing specially craft...
How severe is CVE-2017-9802?
CVE-2017-9802 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-9802?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Sling Servlets Post.