Severity: High Vendor: The Apache Software Foundation
Versions Affected: Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0, Apache Sling XSS Protection API 2.0.0 Description: A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. Mitigation: Users should upgrade to version 2.0.4 or later of the Apache Sling XSS Protection API module.
