Apache Sling
By the Year
In 2024 there have been 0 vulnerabilities in Apache Sling . Last year Sling had 1 security vulnerability published. Right now, Sling is on track to have less security vulnerabilities in 2024 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 1 | 9.00 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Sling vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Sling Security Vulnerabilities
The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level
CVE-2022-45064
9 - Critical
- April 13, 2023
The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level. The vulnerability is exploitable by an attacker that is able to include a resource with specific content-type and control the include path (i.e. writing content). The impact of a successful attack is privilege escalation to administrative power. Please update to Apache Sling Engine >= 2.14.0 and enable the "Check Content-Type overrides" configuration option.
XSS
In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns
CVE-2016-5394
6.1 - Medium
- July 19, 2017
In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apache Sling or by Apache? Click the Watch button to subscribe.
