Bertrand Delacretaz

**Name of the Vulnerable Software and Affected Versions** Apache Sling JCR ContentLoader versions 2.1.4 **Description** The issue allows the import of arbitrary files in the content repository, including local files, potentially causing information leaks. **Recommendations** For Apache Sling JCR ContentLoader version 2.1.4, upgrade to version 2.1.6 of the JCR ContentLoader.

**Name of the Vulnerable Software and Affected Versions** Apache Sling versions prior to 1.0.12 **Description** The issue concerns the XSS Protection API module in Apache Sling, where the method `XSS.getValidXML()` uses an insecure SAX parser to validate input strings. This allows for XXE attacks in scripts that use this method for user input validation, potentially enabling an attacker to read sensitive filesystem data, perform same-site request forgery (SSRF), conduct port scanning behind firewalls, or cause a denial-of-service (DoS) condition. **Recommendations** For versions prior to 1.0.12, update to version 1.0.12 or later to resolve the issue. As a temporary workaround, consider disabling the `XSS.getValidXML()` method until a patch is available. Restrict access to sensitive data and limit the application's ability to make external requests to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Sling versions prior to 2.1.2 **Description** The issue allows remote attackers to cause a denial of service (infinite loop) via a crafted HTTP request. This is due to the `@CopyFrom` operation in the POST servlet not preventing attempts to copy an ancestor node to a descendant node. **Recommendations** For versions prior to 2.1.2, update to version 2.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the POST servlet to minimize the risk of exploitation.