CVE-2017-15717
Last modified
CVE-2017-15717 is a vulnerability of currently unknown severity. A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0.. EPSS estimates a 2.91% chance of exploitation in the next 30 days.
Description
A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Sling Xss Protection Api | > 1.0.4, <= 1.0.18 |
| Apache | Sling Xss Protection Api | 2.0.0 |
| Apache | Sling Xss Protection Api Compat | 1.1.0 |
References
- https://s.apache.org/CVE-2017-15717Vendor Advisory
- https://s.apache.org/CVE-2017-15717Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-15717?
How severe is CVE-2017-15717?
How do I fix CVE-2017-15717?
Are you affected by CVE-2017-15717?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST