There is a XSS vulnerability in configMgr where adding a html or script tag in log file name. Since this console is only accessible to admin, threat rating of this vulnerability is very low.
Steps to reproduce :
- In /system/console/configMgr, find Apache Sling Logging Logger Configuration
- Edit one of the logs, e.g logs/auditlog.log
- Change to logs/auditlog.log<script>alert("xss")</script>
- Click Save and refresh
- Scroll to the configuration and see alert pop up injected
Expected Behavior : Injected script should be escaped.