CVE-2016-5394

Name of the Vulnerable Software and Affected Versions Apache Sling versions prior to 1.0.12

Description The issue arises from the XSS Protection API module, where the encoding performed by the XSSAPI.encodeForJSString() method is not restrictive enough. This allows script tags to pass through unencoded for certain input patterns, potentially leading to XSS vulnerabilities.

Recommendations For versions prior to 1.0.12, update to version 1.0.12 or later to resolve the issue. As a temporary workaround, consider restricting the use of the XSSAPI.encodeForJSString() method until a patch is applied.