Henry Kuijpers

**Name of the Vulnerable Software and Affected Versions** Apache Sling API versions prior to 2.2.2 Apache Sling Servlets Post versions prior to 2.1.2 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the URI. This is related to the `org/apache/sling/api/servlets/HtmlResponse` and `org/apache/sling/servlets/post/HtmlResponse` components. **Recommendations** For Apache Sling API versions prior to 2.2.2, update to version 2.2.2 or later. For Apache Sling Servlets Post versions prior to 2.1.2, update to version 2.1.2 or later. As a temporary workaround, consider restricting access to the `org/apache/sling/api/servlets/HtmlResponse` and `org/apache/sling/servlets/post/HtmlResponse` components until a patch is available.