CVE-2017-15717

Name of the Vulnerable Software and Affected Versions: Apache Sling XSS Protection API versions 1.0.4 through 1.0.18 Apache Sling XSS Protection API Compat version 1.1.0 Apache Sling XSS Protection API version 2.0.0

Description: A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows specially crafted URLs to pass as valid, although they carry XSS payloads.

Recommendations: For Apache Sling XSS Protection API versions 1.0.4 through 1.0.18, update to a version outside of this range to resolve the issue. For Apache Sling XSS Protection API Compat version 1.1.0, consider disabling the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref functions until a patch is available. For Apache Sling XSS Protection API version 2.0.0, restrict the use of the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref functions to minimize the risk of exploitation.