Severity: Important Vendor: The Apache Software Foundation
Versions Affected: Sling XSS Protection API 1.0.8 Description: The encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities. Mitigation: Users should upgrade to version 1.0.12 or later of the XSS Protection API module.