cvedb.io
CVE-2016-5394
MEDIUM · CVSS 6.1
EPSS exploitation probability: 0%
Published 2017-07-19T15:29:00.180 · Last modified 2026-06-17T00:49:19.870

Summary

In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.

Affected products

apache — sling

Does this affect you?

Add your gear to cvedb and we'll alert you only when apache ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.