ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.
References
Link | Resource |
---|---|
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf | Exploit Mitigation Third Party Advisory |
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt | Release Notes |
https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20230127-0014/ | Third Party Advisory |
https://www.oracle.com/security-alerts/cpujul2022.html | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
23 Jun 2023, 19:33
Type | Values Removed | Values Added |
---|---|---|
CWE | NVD-CWE-Other |
23 Feb 2023, 18:48
Type | Values Removed | Values Added |
---|---|---|
First Time |
Netapp oncommand Workflow Automation
Netapp active Iq Unified Manager Netapp |
|
CPE | cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:* cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:* |
|
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20230127-0014/ - Third Party Advisory |
27 Jan 2023, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 Dec 2022, 15:36
Type | Values Removed | Values Added |
---|---|---|
First Time |
Oracle weblogic Server
Oracle |
|
CPE | cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* |
|
References | (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory |
25 Jul 2022, 18:22
Type | Values Removed | Values Added |
---|---|---|
References |
|
09 May 2022, 18:04
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf - Exploit, Mitigation, Third Party Advisory | |
References | (MISC) https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt - Release Notes, Third Party Advisory | |
References | (CONFIRM) https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q - Third Party Advisory | |
First Time |
Owasp enterprise Security Api
Owasp |
|
CPE | cpe:2.3:a:owasp:enterprise_security_api:*:*:*:*:*:*:*:* | |
CWE | CWE-79 | |
CVSS |
v2 : v3 : |
v2 : 4.3
v3 : 6.1 |
27 Apr 2022, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-04-27 21:15
Updated : 2023-12-10 14:22
NVD link : CVE-2022-24891
Mitre link : CVE-2022-24891
CVE.ORG link : CVE-2022-24891
JSON object : View
Products Affected
netapp
- active_iq_unified_manager
- oncommand_workflow_automation
owasp
- enterprise_security_api
oracle
- weblogic_server
CWE
NVD-CWE-Other
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')