lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 14 Aug 2017 14:04:35 +0300
From: Robert Munteanu <>
Subject: CVE-2017-9802: Apache Sling XSS vulnerability

CVE-2017-9802: Apache Sling XSS vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Sling Servlets Post 2.3.20

The Javascript method Sling.evalString() uses the javascript `eval`
function to parse input strings, which allows for XSS attacks by
passing specially crafted input strings.

Users should upgrade to version 2.3.22 or later of the Sling Servlets
Post bundle.

Credit: This issue was discovered and reported by Dmitriev V.
Daniil Dmitriev V. Daniil <>.



Robert Munteanu

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists