What is the severity of CVE-2016-6798?

CVE-2016-6798 has a medium severity rating due to its potential to enable XXE attacks.

How do I fix CVE-2016-6798?

To fix CVE-2016-6798, upgrade to Apache Sling XSS API version 1.0.12 or later, or the XSS Protection API module version 1.1.0 or later.

What systems are affected by CVE-2016-6798?

CVE-2016-6798 affects Apache Sling versions up to 1.0.10 and the XSS Protection API module before 1.0.12.

What type of attack is enabled by CVE-2016-6798?

CVE-2016-6798 allows for XML External Entity (XXE) attacks, which can lead to exposure of sensitive data.

Is user input validation compromised in CVE-2016-6798?

Yes, CVE-2016-6798 compromises user input validation due to the use of an insecure SAX parser.

Vulnerability/
CVE-2016-6798

critical

9.8

CWE

611 79 918

19/7/2017

17/5/2022

16/9/2024

CVE-2016-6798: XEE

First published: Wed Jul 19 2017(Updated: )

In the XSS Protection API module before 1.0.12 in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts which use this method to validate user input, potentially allowing an attacker to read sensitive data on the filesystem, perform same-site-request-forgery (SSRF), port-scanning behind the firewall or DoS the application.

Credit: security@apache.org

Affected Software	Affected Version	How to fix
maven/org.apache.sling:org.apache.sling.xss.compat	<1.1.0	1.1.0
maven/org.apache.sling:org.apache.sling.xss	<1.0.12	1.0.12
Apache Sling API	<=1.0.10

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2016-6798?
CVE-2016-6798 has a medium severity rating due to its potential to enable XXE attacks.
How do I fix CVE-2016-6798?
To fix CVE-2016-6798, upgrade to Apache Sling XSS API version 1.0.12 or later, or the XSS Protection API module version 1.1.0 or later.
What systems are affected by CVE-2016-6798?
CVE-2016-6798 affects Apache Sling versions up to 1.0.10 and the XSS Protection API module before 1.0.12.
What type of attack is enabled by CVE-2016-6798?
CVE-2016-6798 allows for XML External Entity (XXE) attacks, which can lead to exposure of sensitive data.
Is user input validation compromised in CVE-2016-6798?
Yes, CVE-2016-6798 compromises user input validation due to the use of an insecure SAX parser.

collector/github-advisory-latest
alias/GHSA-7g54-vgp6-jj5w
alias/CVE-2016-6798
collector/github-advisory
agent/author
agent/type
agent/softwarecombine
agent/severity
agent/weakness
agent/references
agent/description
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/first-publish-date
agent/event
agent/trending
agent/source
agent/tags
collector/nvd-cve
agent/software-canonical-lookup-request
collector/nvd-index
package-manager/maven
vendor/apache
canonical/apache sling api
version/apache sling api/1.0.10

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.