- CVE ID
- CVE-2016-5394
- CVE Description
- In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.
- Published
- Aug 2, 2017
- CVSS Score & Severity
6.1Medium
- CVSS Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- EPSS Score
- 1.094%
- KEV Status
Not in KEV Catalog: No known exploits
- Vulnerable Methods
org/apache/sling/xss/impl/XSSAPIImpl.encodeForJSString(Ljava/lang/String;)Ljava/lang/String;JVMVulnerable params: 0
- Source
- National Vulnerability Database