Advisories for Maven/Org.apache.sling/Org.apache.sling.engine package

2023

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The SlingRequestDispatcher does not correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level. The vulnerability is exploitable by an attacker that is able to include a resource with specific content-type and control the include path (i.e. writing content). The impact of a successful attack is privilege escalation to administrative power. Please update to Apache Sling Engine >= 2.14.0 and …

2022
2020