CVE-2022-46769 - Vulnerability Details - OpenCVE

An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature.

Upgrade to Apache Sling App CMS >= 1.1.4

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00249.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Apache Subscribe	Sling Cms Subscribe

Configuration 1 [-]

cpe:2.3:a:apache:sling_cms:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-0315	An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature. Upgrade to Apache Sling App CMS >= 1.1.4
Github GHSA	GHSA-38m2-vr6g-8c94	Apache Sling App CMS vulnerable to reflected Cross-site Scripting

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://sling.apache.org/news.html

History

Wed, 09 Apr 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-01-09T10:14:56.823Z

Updated: 2025-04-09T19:26:54.690Z

Reserved: 2022-12-07T19:05:24.777Z

Link: CVE-2022-46769

Vulnrichment

Updated: 2024-08-03T14:39:38.519Z

NVD

Status : Modified

Published: 2023-01-09T11:15:10.700

Modified: 2025-04-09T20:15:22.957

Link: CVE-2022-46769

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-46769", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2022-12-07T19:05:24.777Z", "datePublished": "2023-01-09T10:14:56.823Z", "dateUpdated": "2025-04-09T19:26:54.690Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Sling App CMS", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "1.1.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Apache Sling would like to thank Sam Bagheri for reporting this issue"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature.<br><br><span style=\"background-color: rgb(255, 255, 255);\">Upgrade to Apache Sling App CMS >= 1.1.4</span> <br>"}], "value": "An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature.\n\nUpgrade to Apache Sling App CMS >= 1.1.4 \n"}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-01-09T10:14:56.823Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://sling.apache.org/news.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Sling App CMS: XSS in CMS Site Group Detail", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:39:38.519Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://sling.apache.org/news.html"}]}, {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-09T19:26:32.081207Z", "id": "CVE-2022-46769", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-09T19:26:54.690Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://sling.apache.org/news.html", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:39:38.519Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-46769", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-09T19:26:32.081207Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-09T19:26:49.226Z"}}], "cna": {"title": "Apache Sling App CMS: XSS in CMS Site Group Detail", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Apache Sling would like to thank Sam Bagheri for reporting this issue"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Sling App CMS", "versions": [{"status": "affected", "version": "0", "lessThan": "1.1.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://sling.apache.org/news.html", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature.\n\nUpgrade to Apache Sling App CMS >= 1.1.4 \n", "supportingMedia": [{"type": "text/html", "value": "An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature.<br><br><span style=\"background-color: rgb(255, 255, 255);\">Upgrade to Apache Sling App CMS >= 1.1.4</span> <br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-01-09T10:14:56.823Z"}}}, "cveMetadata": {"cveId": "CVE-2022-46769", "state": "PUBLISHED", "dateUpdated": "2025-04-09T19:26:54.690Z", "dateReserved": "2022-12-07T19:05:24.777Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2023-01-09T10:14:56.823Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:sling_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "7DC2CC7D-C127-4841-A5F3-A73CF3E02784", "versionEndExcluding": "1.1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature.\n\nUpgrade to Apache Sling App CMS >= 1.1.4 \n"}, {"lang": "es", "value": "Una neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de la p\u00e1gina web ('Cross-site Scripting') vulnerabilidad [CWE-79] en Sling App CMS versi\u00f3n 1.1.2 y anteriores puede permitir que un atacante remoto autenticado realice un cross-site scripting reflejado (XSS) ataque en la funci\u00f3n de grupo de sitios. Actualice a la aplicaci\u00f3n CMS Apache Sling >= 1.1.4"}], "id": "CVE-2022-46769", "lastModified": "2025-04-09T20:15:22.957", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-01-09T11:15:10.700", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://sling.apache.org/news.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://sling.apache.org/news.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@apache.org", "type": "Secondary"}]}