{ "CVE_data_meta": { "ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2018-01-10T00:00:00", "ID": "CVE-2017-15717", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache Sling", "version": { "version_data": [ { "version_value": "XSS Protection API 1.0.4 to 1.0.18" }, { "version_value": "XSS Protection API Compat 1.1.0" }, { "version_value": "XSS Protection API 2.0.0" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Insufficient XSS protection" } ] } ] }, "references": { "reference_data": [ { "name": "[users] 20180110 CVE-2017-15717: Insufficient XSS protection for HREF attributes in Apache Sling XSS Protection API", "refsource": "MLIST", "url": "https://s.apache.org/CVE-2017-15717" } ] } }