First published: Mon Aug 14 2017(Updated: )
The Javascript method Sling.evalString() in Apache Sling Servlets Post before 2.3.22 uses the javascript 'eval' function to parse input strings, which allows for XSS attacks by passing specially crafted input strings.
Credit: security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Sling API | <=2.3.20 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2017-9802 has a medium severity rating due to its potential for cross-site scripting (XSS) attacks.
To fix CVE-2017-9802, upgrade Apache Sling Servlets Post to version 2.3.22 or later.
CVE-2017-9802 allows attackers to execute arbitrary JavaScript in the context of the victim's browser, potentially compromising sensitive information.
Apache Sling Servlets Post versions prior to 2.3.22 are affected by CVE-2017-9802.
CVE-2017-9802 utilizes the Javascript 'eval' function to process input strings without adequate sanitization, enabling XSS exploitation.