CVE-2022-45064: 
Java vulnerability analysis and mitigation

The Apache Sling Engine contains a vulnerability (CVE-2022-45064) in the SlingRequestDispatcher component that doesn't correctly implement the RequestDispatcher API, leading to include-based cross-site scripting issues. The vulnerability was disclosed and published on April 13, 2023, affecting Apache Sling versions prior to 2.14.0 (NVD).

The vulnerability stems from improper implementation of the RequestDispatcher API in the SlingRequestDispatcher component. It has been assigned a CVSS v3.1 base score of 9.0 (Critical) by NIST and 8.0 (High) by Apache Software Foundation. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting) (NVD).

A successful exploitation of this vulnerability can lead to privilege escalation to administrative power. The vulnerability allows attackers who can include a resource with specific content-type and control the include path to execute cross-site scripting attacks (NVD).

Users are advised to update to Apache Sling Engine version 2.14.0 or later and enable the 'Check Content-Type overrides' configuration option to mitigate this vulnerability (NVD).