Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
sling vulnerabilities and exploits
(subscribe to this query)
5.8
CVSSv2
CVE-2013-4390
Open redirect vulnerability in the AbstractAuthenticationFormServlet in the Auth Core (org.apache.sling.auth.core) bundle prior to 1.1.4 in Apache Sling allows remote malicious users to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the resource p...
Apache Sling
Apache Sling Auth Core Component
Apache Sling Auth Core Component 1.1.0
Apache Sling Auth Core Component 1.0.6
Apache Sling Auth Core Component 1.0.4
Apache Sling Auth Core Component 1.0.2
4.3
CVSSv2
CVE-2015-2944
Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API prior to 2.2.2 and Apache Sling Servlets Post prior to 2.1.2 allow remote malicious users to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) ...
Apache Sling Servlets Post
Apache Sling Api
5
CVSSv2
CVE-2022-32549
Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an malicious user to cover tracks by injecting fake logs and potentially corrupt log files.
Apache Sling Commons Log
Apache Sling Api
4.3
CVSSv2
CVE-2017-15717
A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling X...
Apache Sling Xss Protection Api
Apache Sling Xss Protection Api 2.0.0
Apache Sling Xss Protection Api Compat 1.1.0
7.5
CVSSv2
CVE-2016-6798
In the XSS Protection API module prior to 1.0.12 in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts which use this method to validate user input, potentially allowing an malicious use...
Apache Sling
NA
CVE-2022-45064
The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level. The vulnerability is exploitable by an attacker that is able to include a resource with specif...
Apache Sling
4.3
CVSSv2
CVE-2016-5394
In the XSS Protection API module prior to 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.
Apache Sling
NA
CVE-2022-43670
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote malicious user to perform a reflected cross site scripting (XSS) attack in the taxon...
Apache Sling Cms
NA
CVE-2023-22849
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote malicious user to perform a reflected cross-site scripting (XSS) attack in multiple ...
Apache Sling Cms
NA
CVE-2023-25621
Privilege Escalation vulnerability in Apache Software Foundation Apache Sling. Any content author is able to create i18n dictionaries in the repository in a location the author has write access to. As these translations are used across the whole product, it allows an author to ch...
Apache Sling I18n
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-32744
privilege escalation
CVE-2024-30253
CVE-2024-3914
cross-site scripting
CVE-2024-31497
CVE-2024-3400
CVE-2024-32341
hardcoded
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
NEXT »