CVE-2017-15717: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

May 14, 2022 (updated July 1, 2022)

A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0.

References

github.com/advisories/GHSA-7mfw-43c4-45mq
nvd.nist.gov/vuln/detail/CVE-2017-15717
s.apache.org/CVE-2017-15717

Code Behaviors & Features

Detect and mitigate CVE-2017-15717 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →