Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-mg46-f9h5-g27x: Apache Sling Engine vulnerable to cross-site scripting (XSS) that can lead to privilege escalation

The SlingRequestDispatcher doesn’t correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level. The vulnerability is exploitable by an attacker that is able to include a resource with specific content-type and control the include path (i.e. writing content). The impact of a successful attack is privilege escalation to administrative power.

Please update to Apache Sling Engine version 2.14.0 or newer and enable the “Check Content-Type overrides” configuration option.

ghsa
#xss#vulnerability#apache#git#java#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2022-45064

Apache Sling Engine vulnerable to cross-site scripting (XSS) that can lead to privilege escalation

High severity GitHub Reviewed Published Apr 13, 2023 to the GitHub Advisory Database • Updated Apr 18, 2023

Package

maven org.apache.sling:org.apache.sling.engine (Maven)

Affected versions

< 2.14.0

Published to the GitHub Advisory Database

Apr 13, 2023

Last updated

Apr 18, 2023

Related news

CVE-2022-45064

The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level. The vulnerability is exploitable by an attacker that is able to include a resource with specific content-type and control the include path (i.e. writing content). The impact of a successful attack is privilege escalation to administrative power. Please update to Apache Sling Engine >= 2.14.0 and enable the "Check Content-Type overrides" configuration option.