Apache Sling Engine vulnerable to cross-site scripting (XSS) that can lead to privilege escalation
High severity
GitHub Reviewed
Published
Apr 13, 2023
to the GitHub Advisory Database
•
Updated Apr 18, 2023
Package
Affected versions
< 2.14.0
Patched versions
2.14.0
Description
Published by the National Vulnerability Database
Apr 13, 2023
Published to the GitHub Advisory Database
Apr 13, 2023
Reviewed
Apr 14, 2023
Last updated
Apr 18, 2023
The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level. The vulnerability is exploitable by an attacker that is able to include a resource with specific content-type and control the include path (i.e. writing content). The impact of a successful attack is privilege escalation to administrative power.
Please update to Apache Sling Engine version 2.14.0 or newer and enable the "Check Content-Type overrides" configuration option.
References