{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/129097?format=json","vulnerability_id":"VCID-unun-7535-7yd4","summary":"Privilege Escalation vulnerability in Apache Software Foundation Apache Sling.\nAny content author is able to create i18n dictionaries in the repository in a location the author has write access to. As these translations are used across the whole product, it allows an author to change any text or dialog in the product. For example an attacker might fool someone by changing the text on a delete button to \"Info\".\nThis issue affects the i18n module of Apache Sling up to version 2.5.18. Version 2.6.2 and higher limit by default i18m dictionaries to certain paths in the repository (/libs and /apps).\n\nUsers of the module are advised to update to version 2.6.2 or higher, check the configuration for resource loading and then adjust the access permissions for the configured path accordingly.","aliases":[{"alias":"CVE-2023-25621"},{"alias":"GHSA-mrpv-5pmr-p92h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/380481?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.6.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.6.2"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/616608?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.0.2"},{"url":"http://public2.vulnerablecode.io/api/packages/616609?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.0.4"},{"url":"http://public2.vulnerablecode.io/api/packages/616610?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.1.0"},{"url":"http://public2.vulnerablecode.io/api/packages/616611?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.1.2"},{"url":"http://public2.vulnerablecode.io/api/packages/616612?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/616613?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.2.2"},{"url":"http://public2.vulnerablecode.io/api/packages/616614?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.2.4"},{"url":"http://public2.vulnerablecode.io/api/packages/616615?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.2.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.2.6"},{"url":"http://public2.vulnerablecode.io/api/packages/616616?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.2.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.2.8"},{"url":"http://public2.vulnerablecode.io/api/packages/616617?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.2.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.2.10"},{"url":"http://public2.vulnerablecode.io/api/packages/616618?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.3.2"},{"url":"http://public2.vulnerablecode.io/api/packages/616619?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.4.2"},{"url":"http://public2.vulnerablecode.io/api/packages/616620?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.4.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.4.4"},{"url":"http://public2.vulnerablecode.io/api/packages/616621?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.4.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.4.6"},{"url":"http://public2.vulnerablecode.io/api/packages/616622?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.4.8"},{"url":"http://public2.vulnerablecode.io/api/packages/616623?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.4.10"},{"url":"http://public2.vulnerablecode.io/api/packages/616624?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.5.0"},{"url":"http://public2.vulnerablecode.io/api/packages/616625?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.5.2"},{"url":"http://public2.vulnerablecode.io/api/packages/616626?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.5.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.5.4"},{"url":"http://public2.vulnerablecode.io/api/packages/616627?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.5.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.5.6"},{"url":"http://public2.vulnerablecode.io/api/packages/616628?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.5.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.5.8"},{"url":"http://public2.vulnerablecode.io/api/packages/616629?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.5.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.5.10"},{"url":"http://public2.vulnerablecode.io/api/packages/616630?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.5.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.5.12"},{"url":"http://public2.vulnerablecode.io/api/packages/616631?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.5.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.5.14"},{"url":"http://public2.vulnerablecode.io/api/packages/616632?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.5.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.5.16"},{"url":"http://public2.vulnerablecode.io/api/packages/616633?format=json","purl":"pkg:maven/org.apache.sling/org.apache.sling.i18n@2.5.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-unun-7535-7yd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.sling/org.apache.sling.i18n@2.5.18"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-25621","reference_id":"","reference_type":"","scores":[{"value":"0.00871","scoring_system":"epss","scoring_elements":"0.7573","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00871","scoring_system":"epss","scoring_elements":"0.75725","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00871","scoring_system":"epss","scoring_elements":"0.75646","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00871","scoring_system":"epss","scoring_elements":"0.75716","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-25621"},{"reference_url":"https://github.com/apache/sling-org-apache-sling-i18n/pull/9","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/sling-org-apache-sling-i18n/pull/9"},{"reference_url":"https://issues.apache.org/jira/browse/SLING-11744","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/SLING-11744"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25621","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25621"},{"reference_url":"https://seclists.org/oss-sec/2023/q1/112","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://seclists.org/oss-sec/2023/q1/112"},{"reference_url":"https://github.com/advisories/GHSA-mrpv-5pmr-p92h","reference_id":"GHSA-mrpv-5pmr-p92h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mrpv-5pmr-p92h"},{"reference_url":"https://sling.apache.org/news.html","reference_id":"news.html","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-18T15:00:24Z/"}],"url":"https://sling.apache.org/news.html"}],"weaknesses":[{"cwe_id":269,"name":"Improper Privilege Management","description":"The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":"4.0 - 6.9","exploitability":"0.5","weighted_severity":"6.2","risk_score":3.1,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-unun-7535-7yd4"}