CVE-2017-15717 Information

Description

A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImplgetValidHref and org.apache.sling.xss.impl.XSSFilterImplisValidHref allows special crafted URLs to pass as valid although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18 Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://s.apache.org/CVE-2017-15717

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1