Severity: Medium Vendor: The Apache Software Foundation
Versions Affected: Sling CMS 0.14.0 and previous releases Description: Scripts in Sling CMS do not property escape the Sling Selector from URLs when generating navigational elements for the administrative consoles and are vulnerable to reflected XSS attacks. Mitigation: All users should upgrade to 0.16.0 Credit: This issue was discovered by Guillaume GRABÉ Pentester from Orange Cyberdefense France References: https://sling.apache.org/project-information/security.html