CVE-2015-2944: XSS
First published: Tue Jun 02 2015(Updated: )
Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.
Credit: vultures@jpcert.or.jp
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Sling | <=2.2.0 | |
| Apache Sling API | <=2.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://jvn.jp/en/jp/JVN61328139/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069
- http://www.securityfocus.com/bid/74839
- https://issues.apache.org/jira/browse/SLING-2082
- https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31@%3Cdev.sling.apache.org%3E
- https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70@%3Cdev.sling.apache.org%3E
- https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea@%3Cdev.sling.apache.org%3E
- https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16@%3Cdev.sling.apache.org%3E
- https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16%40%3Cdev.sling.apache.org%3E
- https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea%40%3Cdev.sling.apache.org%3E
- https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70%40%3Cdev.sling.apache.org%3E
- https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31%40%3Cdev.sling.apache.org%3E
Frequently Asked Questions
What is the severity of CVE-2015-2944?
CVE-2015-2944 is considered a medium severity cross-site scripting vulnerability.
How do I fix CVE-2015-2944?
To fix CVE-2015-2944, upgrade Apache Sling API to version 2.2.2 or later, and Apache Sling Servlets Post to version 2.1.2 or later.
What systems are affected by CVE-2015-2944?
CVE-2015-2944 affects Apache Sling API versions before 2.2.2 and Apache Sling Servlets Post versions before 2.1.2.
What kind of attacks can be executed through CVE-2015-2944?
CVE-2015-2944 allows remote attackers to inject arbitrary web scripts or HTML, leading to potential user data theft or session hijacking.
Is CVE-2015-2944 still a threat if I'm running the latest version?
No, if you are using the patched versions of Apache Sling API and Servlets Post, CVE-2015-2944 should not pose a threat.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/weakness
- agent/references
- agent/severity
- agent/event
- agent/first-publish-date
- agent/description
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/apache
- canonical/apache sling
- version/apache sling/2.2.0
- canonical/apache sling api
- version/apache sling api/2.1.0