CVE-2017-15700 Information

Description

A flaw in the org.apache.sling.auth.core.AuthUtilisRedirectValid method in Apache Sling Authentication Service 1.4.0 allows an attacker through the Sling login form to trick a victim to send over their credentials.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Reference

https://lists.apache.org/thread.html/182bed1dd6933824a81cc5f07639eeb813fbd8f2cc49d51b452ab621@3Cdev.sling.apache.org3E

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8