CVE-2016-5394

medium

Apache

CVSS v3 Base Score

6.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Score

1.1%

Exploitation probability in 30 days

Top 22% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Confidentiality

Low

Integrity

Low

Availability

None

Published: July 19, 2017 (3221 days ago)

Last Modified: May 13, 2026

Vendor: Apache

Source: NVD

Description

In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.

CWE

CWE-79

Affected Products

apache sling

References

🔗 www.securityfocus.com 🔗 lists.apache.org 🔗 www.securityfocus.com 🔗 lists.apache.org

CVE-2016-5394

Vulnerability Report

Description

CWE

Affected Products

References