Skip to main content
Components
Vulnerabilities
Pricing
MCP
API
Docs
Sign up
Login
Find vulnerabilities. Fix fast with AI.
Search components by package, version, or CVE to get started.
org.apache.sling/org.apache.sling.xss.comp… | Sonatype Guide
Get full component data and automated fixes with Sonatype Guide.
Sign up for free
maven
org.apache.sling
org.apache.sling.xss.compat
1.0.0
org.apache.sling.xss.compat 1.0.0
org.apache.sling
Published
May 1, 2017
•
Policy
compliance
maven Registry
Developer Trust Score
Recommended Version:
x.y.z
Recommended upgrade that meets your policy.
Compare Versions
Overview
Overview
Versions
2
Versions
2
Vulnerabilities
24
Vulnerabilities
24
Dependencies
0
Dependencies
0
Reset filters
Severity
Critical
(0)
High
(0)
Medium
(15)
Low
(0)
CVSS Score
0.0
10.0
EPSS Score
0.0
1.0
Malware
KEV Status
Published
Filter
Sort: Published (Newest first)
6.9
CVE-2025-5878
A vulnerability was found in ESAPI esapi-java-legacy and classified as problematic. This issue affects the interface Encoder.encodeForSQL of the SQL Injection Defense. An attack leads to an improper neutralization of special elements. The attack may be initiated remotely and an exploit has been disclosed to the public. The project was contacted early about this issue and handled it with an exceptional level of professionalism. Upgrading to version 2.7.0.0 is able to address this issue. Commit ID f75ac2c2647a81d2cfbdc9c899f8719c240ed512 is disabling the feature by default and any attempt to use it will trigger a warning. And commit ID e2322914304d9b1c52523ff24be495b7832f6a56 is updating the misleading Java class documentation to warn about the risks.
affected
Severity
Medium
Published
Jul 3, 2025
6.5
CVE-2024-29131
Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue.
affected
Severity
Medium
Published
Mar 22, 2024
6.1
CVE-2024-23635
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to 1.7.5, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. Patched in AntiSamy 1.7.5 and later.
affected
Severity
Medium
Published
Feb 5, 2024
6.1
sonatype-2023-4780
esapi - Cross-Site Scripting (XSS)
affected
Severity
Medium
Published
Nov 28, 2023
6.1
CVE-2023-43643
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to version 1.7.4, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file and also allow for certain tags at the same time. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. This issue has been patched in AntiSamy 1.7.4 and later.
affected
Severity
Medium
Published
Oct 10, 2023
6.1
CVE-2022-28367
OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.
affected
Severity
Medium
Published
Apr 22, 2022
6.5
CVE-2022-23437
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
affected
Severity
Medium
Published
Jan 25, 2022
6.1
CVE-2021-35043
OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with : as the replacement for the : character.
affected
Severity
Medium
Published
Jul 21, 2021
6.1
sonatype-2016-0701
antisamy - Cross-Site Scripting (XSS)
affected
Severity
Medium
Published
Aug 19, 2020
6.1
CVE-2017-15717
A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0.
affected
Severity
Medium
Published
Jan 12, 2018
4.0
sonatype-2013-0070
ESAPI - Denial of Service (DoS)
affected
Severity
Medium
Published
Dec 7, 2017
6.1
CVE-2017-14735
OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of : to construct a javascript: URL.
affected
Severity
Medium
Published
Nov 6, 2017
5.9
sonatype-2017-0348
sonatype-2017-0348 - xerces:xercesImpl - Denial of Service (DoS)
affected
Severity
Medium
Published
Sep 15, 2017
6.1
CVE-2016-5394
In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.
affected
Severity
Medium
Published
Aug 2, 2017
5.0
CVE-2009-2625
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
affected
Severity
Medium
Published
Mar 28, 2017