CVE-2023-25141 – JNDI injection into Apache sling-org-apache-sling-jcr-base
https://notcve.org/view.php?id=CVE-2023-25141
Apache Sling JCR Base < 3.1.12 has a critical injection vulnerability when running on old JDK versions (JDK 1.8.191 or earlier) through utility functions in RepositoryAccessor. The functions getRepository and getRepositoryFromURL allow an application to access data stored in a remote location via JDNI and RMI. Users of Apache Sling JCR Base are recommended to upgrade to Apache Sling JCR Base 3.1.12 or later, or to run on a more recent JDK. • https://sling.apache.org/news.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2023-22849 – Apache Sling App CMS: XSS in CMS Reference / UI Components
https://notcve.org/view.php?id=CVE-2023-22849
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features. Upgrade to Apache Sling App CMS >= 1.1.6 • https://sling.apache.org/news.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-46769 – Apache Sling App CMS: XSS in CMS Site Group Detail
https://notcve.org/view.php?id=CVE-2022-46769
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature. Upgrade to Apache Sling App CMS >= 1.1.4 Una neutralización inadecuada de la entrada durante la generación de la página web ('Cross-site Scripting') vulnerabilidad [CWE-79] en Sling App CMS versión 1.1.2 y anteriores puede permitir que un atacante remoto autenticado realice un cross-site scripting reflejado (XSS) ataque en la función de grupo de sitios. Actualice a la aplicación CMS Apache Sling >= 1.1.4 • https://sling.apache.org/news.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-43670 – XSS in Sling CMS Reference App Taxonomy Path
https://notcve.org/view.php?id=CVE-2022-43670
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management feature. Una neutralización inadecuada de la entrada durante la generación de la página web ('Cross-site Scripting') vulnerabilidad [CWE-79] en Sling App CMS versión 1.1.0 y anteriores puede permitir que un atacante remoto autenticado realice un ataque de Cross-Site Scripting (XSS) Reflejado en la función de gestión de taxonomía. • http://www.openwall.com/lists/oss-security/2022/11/02/8 https://lists.apache.org/thread/o68l3l3crfxz107fr9dm74y8vg8kj2cs • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-32549 – log injection in Sling logging
https://notcve.org/view.php?id=CVE-2022-32549
Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files. Apache Sling Commons Log versiones anteriores a 5.4.0 incluyéndola y Apache Sling API versiones anteriores a 2.25.0 incluyéndola, son vulnerables a una inyección de registros. La capacidad de falsificar registros puede permitir a un atacante cubrir sus huellas al inyectar registros falsos y corrompiendo potencialmente los archivos de registro • https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v • CWE-116: Improper Encoding or Escaping of Output CWE-117: Improper Output Neutralization for Logs •