CVE-2015-2944 — Improper Neutralization of Input During Web Page Generation in Apache Sling

Description

Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.

How to fix CVE-2015-2944

To remediate CVE-2015-2944, upgrade the affected package to a fixed version below.

Maven/org.apache.sling:org.apache.sling.api—upgrade to 2.2.2 or later
—upgrade to 2.1.2 or later

Is CVE-2015-2944 being exploited?

Low — EPSS is 2.9%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.2.2
from 0, < 2.1.2

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-2944
WEBjvndb.jvn.jp/jvndb/JVNDB-2015-000069
WEBjvn.jp/en/jp/JVN61328139/index.html
WEBissues.apache.org/jira/browse/SLING-2082