CVE-2022-45064

Name of the Vulnerable Software and Affected Versions Apache Sling Engine versions prior to 2.14.0

Description The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API, resulting in include-based cross-site scripting issues on the Apache Sling level. An attacker who can include a resource with a specific content-type and control the include path can exploit this issue, leading to privilege escalation to administrative power.

Recommendations Update to Apache Sling Engine version 2.14.0 or newer and enable the "Check Content-Type overrides" configuration option.