{"id":"CVE-2022-43670","details":"An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management feature.","aliases":["GHSA-jj93-4jr5-x45h"],"modified":"2026-04-12T04:17:29.194967Z","published":"2022-11-02T13:15:19.997Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/11/02/8"},{"type":"REPORT","url":"https://lists.apache.org/thread/o68l3l3crfxz107fr9dm74y8vg8kj2cs"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/sling-org-apache-sling-app-cms","events":[{"introduced":"0"},{"last_affected":"842104827ee6ee9e7c38bee9a6ca56d5e464a806"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"1.1.0"}],"cpe":"cpe:2.3:a:apache:sling_cms:*:*:*:*:*:*:*:*"}}],"versions":["org.apache.sling.cms-0.10.0","org.apache.sling.cms-0.11.0","org.apache.sling.cms-0.12.0","org.apache.sling.cms-0.14.0","org.apache.sling.cms-0.16.0","org.apache.sling.cms-0.16.2","org.apache.sling.cms-1.0.2","org.apache.sling.cms-1.0.4","org.apache.sling.cms-1.1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-43670.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}