Vulnerability-Lookup

CVE-2015-2944 (GCVE-0-2015-2944)

Vulnerability from cvelistv5 – Published: 2015-06-02 14:00 – Updated: 2024-08-06 05:32

Summary

Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.

Severity

No CVSS data available.

CWE

Assigner

jpcert

References

8 references

URL	Tags
http://jvn.jp/en/jp/JVN61328139/index.html	third-party-advisoryx_refsource_JVN
http://www.securityfocus.com/bid/74839	vdb-entryx_refsource_BID
https://issues.apache.org/jira/browse/SLING-2082	x_refsource_CONFIRM
http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069	third-party-advisoryx_refsource_JVNDB
https://lists.apache.org/thread.html/rd2a35285863…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r93d68359eb0…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r4f41dd891a5…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r04237d561f3…	mailing-listx_refsource_MLIST

Date Public

2011-05-18 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T05:32:20.622Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "JVN#61328139",
            "tags": [
              "third-party-advisory",
              "x_refsource_JVN",
              "x_transferred"
            ],
            "url": "http://jvn.jp/en/jp/JVN61328139/index.html"
          },
          {
            "name": "74839",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/74839"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://issues.apache.org/jira/browse/SLING-2082"
          },
          {
            "name": "JVNDB-2015-000069",
            "tags": [
              "third-party-advisory",
              "x_refsource_JVNDB",
              "x_transferred"
            ],
            "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069"
          },
          {
            "name": "[sling-dev] 20210409 [jira] [Created] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16%40%3Cdev.sling.apache.org%3E"
          },
          {
            "name": "[sling-dev] 20210409 [jira] [Commented] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea%40%3Cdev.sling.apache.org%3E"
          },
          {
            "name": "[sling-dev] 20210409 [jira] [Comment Edited] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70%40%3Cdev.sling.apache.org%3E"
          },
          {
            "name": "[sling-dev] 20210409 [jira] [Resolved] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31%40%3Cdev.sling.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2011-05-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-04-09T14:06:14.000Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "name": "JVN#61328139",
          "tags": [
            "third-party-advisory",
            "x_refsource_JVN"
          ],
          "url": "http://jvn.jp/en/jp/JVN61328139/index.html"
        },
        {
          "name": "74839",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/74839"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://issues.apache.org/jira/browse/SLING-2082"
        },
        {
          "name": "JVNDB-2015-000069",
          "tags": [
            "third-party-advisory",
            "x_refsource_JVNDB"
          ],
          "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069"
        },
        {
          "name": "[sling-dev] 20210409 [jira] [Created] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16%40%3Cdev.sling.apache.org%3E"
        },
        {
          "name": "[sling-dev] 20210409 [jira] [Commented] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea%40%3Cdev.sling.apache.org%3E"
        },
        {
          "name": "[sling-dev] 20210409 [jira] [Comment Edited] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70%40%3Cdev.sling.apache.org%3E"
        },
        {
          "name": "[sling-dev] 20210409 [jira] [Resolved] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31%40%3Cdev.sling.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2015-2944",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "JVN#61328139",
              "refsource": "JVN",
              "url": "http://jvn.jp/en/jp/JVN61328139/index.html"
            },
            {
              "name": "74839",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/74839"
            },
            {
              "name": "https://issues.apache.org/jira/browse/SLING-2082",
              "refsource": "CONFIRM",
              "url": "https://issues.apache.org/jira/browse/SLING-2082"
            },
            {
              "name": "JVNDB-2015-000069",
              "refsource": "JVNDB",
              "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069"
            },
            {
              "name": "[sling-dev] 20210409 [jira] [Created] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16@%3Cdev.sling.apache.org%3E"
            },
            {
              "name": "[sling-dev] 20210409 [jira] [Commented] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea@%3Cdev.sling.apache.org%3E"
            },
            {
              "name": "[sling-dev] 20210409 [jira] [Comment Edited] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70@%3Cdev.sling.apache.org%3E"
            },
            {
              "name": "[sling-dev] 20210409 [jira] [Resolved] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31@%3Cdev.sling.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2015-2944",
    "datePublished": "2015-06-02T14:00:00.000Z",
    "dateReserved": "2015-04-07T00:00:00.000Z",
    "dateUpdated": "2024-08-06T05:32:20.622Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2015-2944",
      "date": "2026-06-06",
      "epss": "0.02866",
      "percentile": "0.86551"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:sling_api:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2.2.0\", \"matchCriteriaId\": \"E07C591D-0BB6-4AFD-8F0A-8C0DDC6EC916\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:sling_servlets_post:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2.1.0\", \"matchCriteriaId\": \"4436136C-E124-40CE-8B4D-C824CBAEADDD\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.\"}, {\"lang\": \"es\", \"value\": \"M\\u00faltiples vulnerabilidades de XSS en Apache Sling API anterior a 2.2.2 y Apache Sling Servlets Post anterior a 2.1.2 permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a trav\\u00e9s de la URI, relacionado con (1) org/apache/sling/api/servlets/HtmlResponse y (2) org/apache/sling/servlets/post/HtmlResponse.\"}]",
      "id": "CVE-2015-2944",
      "lastModified": "2024-11-21T02:28:22.213",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2015-06-02T14:59:09.863",
      "references": "[{\"url\": \"http://jvn.jp/en/jp/JVN61328139/index.html\", \"source\": \"vultures@jpcert.or.jp\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069\", \"source\": \"vultures@jpcert.or.jp\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/74839\", \"source\": \"vultures@jpcert.or.jp\"}, {\"url\": \"https://issues.apache.org/jira/browse/SLING-2082\", \"source\": \"vultures@jpcert.or.jp\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31%40%3Cdev.sling.apache.org%3E\", \"source\": \"vultures@jpcert.or.jp\"}, {\"url\": \"https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70%40%3Cdev.sling.apache.org%3E\", \"source\": \"vultures@jpcert.or.jp\"}, {\"url\": \"https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea%40%3Cdev.sling.apache.org%3E\", \"source\": \"vultures@jpcert.or.jp\"}, {\"url\": \"https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16%40%3Cdev.sling.apache.org%3E\", \"source\": \"vultures@jpcert.or.jp\"}, {\"url\": \"http://jvn.jp/en/jp/JVN61328139/index.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/74839\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://issues.apache.org/jira/browse/SLING-2082\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31%40%3Cdev.sling.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70%40%3Cdev.sling.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea%40%3Cdev.sling.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16%40%3Cdev.sling.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "vultures@jpcert.or.jp",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2015-2944\",\"sourceIdentifier\":\"vultures@jpcert.or.jp\",\"published\":\"2015-06-02T14:59:09.863\",\"lastModified\":\"2026-05-06T22:30:45.220\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.\"},{\"lang\":\"es\",\"value\":\"M\u00faltiples vulnerabilidades de XSS en Apache Sling API anterior a 2.2.2 y Apache Sling Servlets Post anterior a 2.1.2 permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a trav\u00e9s de la URI, relacionado con (1) org/apache/sling/api/servlets/HtmlResponse y (2) org/apache/sling/servlets/post/HtmlResponse.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:sling_api:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.2.0\",\"matchCriteriaId\":\"E07C591D-0BB6-4AFD-8F0A-8C0DDC6EC916\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:sling_servlets_post:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.1.0\",\"matchCriteriaId\":\"4436136C-E124-40CE-8B4D-C824CBAEADDD\"}]}]}],\"references\":[{\"url\":\"http://jvn.jp/en/jp/JVN61328139/index.html\",\"source\":\"vultures@jpcert.or.jp\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069\",\"source\":\"vultures@jpcert.or.jp\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/74839\",\"source\":\"vultures@jpcert.or.jp\"},{\"url\":\"https://issues.apache.org/jira/browse/SLING-2082\",\"source\":\"vultures@jpcert.or.jp\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31%40%3Cdev.sling.apache.org%3E\",\"source\":\"vultures@jpcert.or.jp\"},{\"url\":\"https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70%40%3Cdev.sling.apache.org%3E\",\"source\":\"vultures@jpcert.or.jp\"},{\"url\":\"https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea%40%3Cdev.sling.apache.org%3E\",\"source\":\"vultures@jpcert.or.jp\"},{\"url\":\"https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16%40%3Cdev.sling.apache.org%3E\",\"source\":\"vultures@jpcert.or.jp\"},{\"url\":\"http://jvn.jp/en/jp/JVN61328139/index.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/74839\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://issues.apache.org/jira/browse/SLING-2082\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31%40%3Cdev.sling.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70%40%3Cdev.sling.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea%40%3Cdev.sling.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16%40%3Cdev.sling.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

CNVD-2015-03619

Vulnerability from cnvd - Published: 2015-06-05

Title

Apache Sling API和Sling Servlets跨站脚本漏洞

Description

Apache Sling API是美国阿帕奇（Apache）软件基金会的一套用于构建Web应用程序的框架。Apache Sling Servlets Post是其中的一个容器。 Apache Sling API和Sling Servlets存在跨站脚本漏洞。允许远程攻击者利用该漏洞通过URI注入任意Web脚本或HTML。

Severity

中

Patch Name

Apache Sling API和Sling Servlets跨站脚本漏洞的补丁

Patch Description

Formal description

用户可参考如下供应商提供的安全公告获得补丁信息： https://issues.apache.org/jira/browse/SLING-2082

Reference

http://www.securityfocus.com/bid/74839 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2944

Impacted products

Name
['Apache Sling API < 2.2.2', 'Apache Sling Servlets < 2.1.2']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "74839"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-2944"
    }
  },
  "description": "Apache Sling API\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u7528\u4e8e\u6784\u5efaWeb\u5e94\u7528\u7a0b\u5e8f\u7684\u6846\u67b6\u3002Apache Sling Servlets Post\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u5bb9\u5668\u3002\r\n\r\nApache Sling API\u548cSling Servlets\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7URI\u6ce8\u5165\u4efb\u610fWeb\u811a\u672c\u6216HTML\u3002",
  "discovererName": "MORI Shingo and Toshiharu Sugiyama of DeNA Co., Ltd",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://issues.apache.org/jira/browse/SLING-2082",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-03619",
  "openTime": "2015-06-05",
  "patchDescription": "Apache Sling API\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u7528\u4e8e\u6784\u5efaWeb\u5e94\u7528\u7a0b\u5e8f\u7684\u6846\u67b6\u3002Apache Sling Servlets Post\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u5bb9\u5668\u3002\r\n\r\nApache Sling API\u548cSling Servlets\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7URI\u6ce8\u5165\u4efb\u610fWeb\u811a\u672c\u6216HTML\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Sling API\u548cSling Servlets\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Sling API \u003c 2.2.2",
      "Apache Sling Servlets \u003c 2.1.2"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/74839\r\nhttps://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2944",
  "serverity": "\u4e2d",
  "submitTime": "2015-06-04",
  "title": "Apache Sling API\u548cSling Servlets\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

FKIE_CVE-2015-2944

Vulnerability from fkie_nvd - Published: 2015-06-02 14:59 - Updated: 2026-05-06 22:30

Severity

Summary

References

URL	Tags
vultures@jpcert.or.jp	http://jvn.jp/en/jp/JVN61328139/index.html	Vendor Advisory
vultures@jpcert.or.jp	http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069	Vendor Advisory
vultures@jpcert.or.jp	http://www.securityfocus.com/bid/74839
vultures@jpcert.or.jp	https://issues.apache.org/jira/browse/SLING-2082	Exploit, Vendor Advisory
vultures@jpcert.or.jp	https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31%40%3Cdev.sling.apache.org%3E
vultures@jpcert.or.jp	https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70%40%3Cdev.sling.apache.org%3E
vultures@jpcert.or.jp	https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea%40%3Cdev.sling.apache.org%3E
vultures@jpcert.or.jp	https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16%40%3Cdev.sling.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	http://jvn.jp/en/jp/JVN61328139/index.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/74839
af854a3a-2127-422b-91ae-364da2661108	https://issues.apache.org/jira/browse/SLING-2082	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31%40%3Cdev.sling.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70%40%3Cdev.sling.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea%40%3Cdev.sling.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16%40%3Cdev.sling.apache.org%3E

Impacted products

	Vendor	Product	Version
	apache	sling_api	*
	apache	sling_servlets_post	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:sling_api:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E07C591D-0BB6-4AFD-8F0A-8C0DDC6EC916",
              "versionEndIncluding": "2.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:sling_servlets_post:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4436136C-E124-40CE-8B4D-C824CBAEADDD",
              "versionEndIncluding": "2.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse."
    },
    {
      "lang": "es",
      "value": "M\u00faltiples vulnerabilidades de XSS en Apache Sling API anterior a 2.2.2 y Apache Sling Servlets Post anterior a 2.1.2 permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a trav\u00e9s de la URI, relacionado con (1) org/apache/sling/api/servlets/HtmlResponse y (2) org/apache/sling/servlets/post/HtmlResponse."
    }
  ],
  "id": "CVE-2015-2944",
  "lastModified": "2026-05-06T22:30:45.220",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2015-06-02T14:59:09.863",
  "references": [
    {
      "source": "vultures@jpcert.or.jp",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://jvn.jp/en/jp/JVN61328139/index.html"
    },
    {
      "source": "vultures@jpcert.or.jp",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069"
    },
    {
      "source": "vultures@jpcert.or.jp",
      "url": "http://www.securityfocus.com/bid/74839"
    },
    {
      "source": "vultures@jpcert.or.jp",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://issues.apache.org/jira/browse/SLING-2082"
    },
    {
      "source": "vultures@jpcert.or.jp",
      "url": "https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31%40%3Cdev.sling.apache.org%3E"
    },
    {
      "source": "vultures@jpcert.or.jp",
      "url": "https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70%40%3Cdev.sling.apache.org%3E"
    },
    {
      "source": "vultures@jpcert.or.jp",
      "url": "https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea%40%3Cdev.sling.apache.org%3E"
    },
    {
      "source": "vultures@jpcert.or.jp",
      "url": "https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16%40%3Cdev.sling.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://jvn.jp/en/jp/JVN61328139/index.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/74839"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://issues.apache.org/jira/browse/SLING-2082"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31%40%3Cdev.sling.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70%40%3Cdev.sling.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea%40%3Cdev.sling.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16%40%3Cdev.sling.apache.org%3E"
    }
  ],
  "sourceIdentifier": "vultures@jpcert.or.jp",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-RXVX-44W5-44R7

Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2022-07-06 20:20

Summary

Improper Neutralization of Input During Web Page Generation in Apache Sling

Details

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.sling:org.apache.sling.api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.sling:org.apache.sling.servlets.post"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-2944"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T20:20:19Z",
    "nvd_published_at": "2015-06-02T14:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.",
  "id": "GHSA-rxvx-44w5-44r7",
  "modified": "2022-07-06T20:20:19Z",
  "published": "2022-05-13T01:10:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2944"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/SLING-2082"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31@%3Cdev.sling.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70@%3Cdev.sling.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea@%3Cdev.sling.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16@%3Cdev.sling.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://jvn.jp/en/jp/JVN61328139/index.html"
    },
    {
      "type": "WEB",
      "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Improper Neutralization of Input During Web Page Generation in Apache Sling"
}

GSD-2015-2944

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2015-2944

Aliases

CVE-2015-2944

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2015-2944",
    "description": "Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.",
    "id": "GSD-2015-2944"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2015-2944"
      ],
      "details": "Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.",
      "id": "GSD-2015-2944",
      "modified": "2023-12-13T01:20:00.531737Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "vultures@jpcert.or.jp",
        "ID": "CVE-2015-2944",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "JVN#61328139",
            "refsource": "JVN",
            "url": "http://jvn.jp/en/jp/JVN61328139/index.html"
          },
          {
            "name": "74839",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/74839"
          },
          {
            "name": "https://issues.apache.org/jira/browse/SLING-2082",
            "refsource": "CONFIRM",
            "url": "https://issues.apache.org/jira/browse/SLING-2082"
          },
          {
            "name": "JVNDB-2015-000069",
            "refsource": "JVNDB",
            "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069"
          },
          {
            "name": "[sling-dev] 20210409 [jira] [Created] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16@%3Cdev.sling.apache.org%3E"
          },
          {
            "name": "[sling-dev] 20210409 [jira] [Commented] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea@%3Cdev.sling.apache.org%3E"
          },
          {
            "name": "[sling-dev] 20210409 [jira] [Comment Edited] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70@%3Cdev.sling.apache.org%3E"
          },
          {
            "name": "[sling-dev] 20210409 [jira] [Resolved] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31@%3Cdev.sling.apache.org%3E"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,2.2.1]",
          "affected_versions": "All versions up to 2.2.1",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2022-07-06",
          "description": "Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.",
          "fixed_versions": [
            "2.2.2"
          ],
          "identifier": "CVE-2015-2944",
          "identifiers": [
            "GHSA-rxvx-44w5-44r7",
            "CVE-2015-2944"
          ],
          "not_impacted": "All versions after 2.2.1",
          "package_slug": "maven/org.apache.sling/org.apache.sling.api",
          "pubdate": "2022-05-13",
          "solution": "Upgrade to version 2.2.2 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2015-2944",
            "https://issues.apache.org/jira/browse/SLING-2082",
            "https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31@%3Cdev.sling.apache.org%3E",
            "https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70@%3Cdev.sling.apache.org%3E",
            "https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea@%3Cdev.sling.apache.org%3E",
            "https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16@%3Cdev.sling.apache.org%3E",
            "http://jvn.jp/en/jp/JVN61328139/index.html",
            "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069",
            "https://github.com/advisories/GHSA-rxvx-44w5-44r7"
          ],
          "uuid": "156487de-51f4-4d6e-a319-f23a2187e7c4"
        },
        {
          "affected_range": "(,2.1.1]",
          "affected_versions": "All versions up to 2.1.1",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2022-07-06",
          "description": "Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.",
          "fixed_versions": [
            "2.1.2"
          ],
          "identifier": "CVE-2015-2944",
          "identifiers": [
            "GHSA-rxvx-44w5-44r7",
            "CVE-2015-2944"
          ],
          "not_impacted": "All versions after 2.1.1",
          "package_slug": "maven/org.apache.sling/org.apache.sling.servlets.post",
          "pubdate": "2022-05-13",
          "solution": "Upgrade to version 2.1.2 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2015-2944",
            "https://issues.apache.org/jira/browse/SLING-2082",
            "https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31@%3Cdev.sling.apache.org%3E",
            "https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70@%3Cdev.sling.apache.org%3E",
            "https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea@%3Cdev.sling.apache.org%3E",
            "https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16@%3Cdev.sling.apache.org%3E",
            "http://jvn.jp/en/jp/JVN61328139/index.html",
            "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069",
            "https://github.com/advisories/GHSA-rxvx-44w5-44r7"
          ],
          "uuid": "0822473f-7718-4a65-9503-93e1c33ab31e"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:sling_api:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.2.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:sling_servlets_post:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.1.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2015-2944"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "JVNDB-2015-000069",
              "refsource": "JVNDB",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069"
            },
            {
              "name": "https://issues.apache.org/jira/browse/SLING-2082",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Vendor Advisory"
              ],
              "url": "https://issues.apache.org/jira/browse/SLING-2082"
            },
            {
              "name": "JVN#61328139",
              "refsource": "JVN",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://jvn.jp/en/jp/JVN61328139/index.html"
            },
            {
              "name": "74839",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/74839"
            },
            {
              "name": "[sling-dev] 20210409 [jira] [Created] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16@%3Cdev.sling.apache.org%3E"
            },
            {
              "name": "[sling-dev] 20210409 [jira] [Commented] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea@%3Cdev.sling.apache.org%3E"
            },
            {
              "name": "[sling-dev] 20210409 [jira] [Comment Edited] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70@%3Cdev.sling.apache.org%3E"
            },
            {
              "name": "[sling-dev] 20210409 [jira] [Resolved] (SLING-10284) Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31@%3Cdev.sling.apache.org%3E"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        }
      },
      "lastModifiedDate": "2021-04-09T15:15Z",
      "publishedDate": "2015-06-02T14:59Z"
    }
  }
}

JVNDB-2015-000069

Vulnerability from jvndb - Published: 2015-05-27 14:43 - Updated:2015-06-04 15:39

Severity

N/A (UNKNOWN) - -

Summary

Apache Sling API and Servlets Post components vulnerable to cross-site scripting

Details

Apache Sling is an open source web application framework provided by The Apache Software Foundation. Sling API and Servlet Post components included in Apache Sling contain a cross-site scripting vulnerability (CWE-79) in the error page and the generation of the job completion. MORI Shingo and Toshiharu Sugiyama of DeNA Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

References

Type

URL

	JVN	http://jvn.jp/en/jp/JVN61328139/index.html
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2944
	NVD	https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2944
	Cross-site Scripting(CWE-79)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

Vendor

Product

	Apache Software Foundation	Apache Sling API
	Apache Software Foundation	Apache Sling Servlets Post

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000069.html",
  "dc:date": "2015-06-04T15:39+09:00",
  "dcterms:issued": "2015-05-27T14:43+09:00",
  "dcterms:modified": "2015-06-04T15:39+09:00",
  "description": "Apache Sling is an open source web application framework provided by The Apache Software Foundation.\r\nSling API and Servlet Post components included in Apache Sling contain a cross-site scripting vulnerability (CWE-79) in the error page and the generation of the job completion.\r\n\r\nMORI Shingo and Toshiharu Sugiyama of DeNA Co., Ltd. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000069.html",
  "sec:cpe": [
    {
      "#text": "cpe:/a:apache:sling_api",
      "@product": "Apache Sling API",
      "@vendor": "Apache Software Foundation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:apache:sling_servlets_post",
      "@product": "Apache Sling Servlets Post",
      "@vendor": "Apache Software Foundation",
      "@version": "2.2"
    }
  ],
  "sec:cvss": {
    "@score": "4.3",
    "@severity": "Medium",
    "@type": "Base",
    "@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
    "@version": "2.0"
  },
  "sec:identifier": "JVNDB-2015-000069",
  "sec:references": [
    {
      "#text": "http://jvn.jp/en/jp/JVN61328139/index.html",
      "@id": "JVN#61328139",
      "@source": "JVN"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2944",
      "@id": "CVE-2015-2944",
      "@source": "CVE"
    },
    {
      "#text": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2944",
      "@id": "CVE-2015-2944",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    }
  ],
  "title": "Apache Sling API and Servlets Post components vulnerable to cross-site scripting"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2015-2944 (GCVE-0-2015-2944)

CNVD-2015-03619

FKIE_CVE-2015-2944

GHSA-RXVX-44W5-44R7

GSD-2015-2944

JVNDB-2015-000069

Tags

Sightings

Nomenclature