CVE-2017-15717

A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0.

Published: Jan 10, 2018
Updated: May 9, 2024
CVE: CVE-2017-15717
GHSA: GHSA-7mfw-43c4-45mq
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
apache / sling_xss_protection_api	1.0.4.x	1.0.18.x
apache / sling_xss_protection_api	2.0.0	2.0.0.x
apache / sling_xss_protection_api_compat	1.1.0	1.1.0.x
org.apache.sling / org.apache.sling.xss	1.0.4	2.0.4
org.apache.sling / org.apache.sling.xss.compat	1.1.0	1.1.0.x

https://s.apache.org/CVE-2017-15717

Vulnerability Database

290,206

CVE-2017-15717