Unrestricted Script Tag Passing in XSSAPI.encodeForJSString() Method in Apache Sling

Unrestricted Script Tag Passing in XSSAPI.encodeForJSString() Method in Apache Sling

CVE-2016-5394 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.

Learn more about our Cis Benchmark Audit For Apache Http Server.