OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.
References
| Link | Resource |
|---|---|
| https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae | Patch Third Party Advisory |
| https://github.com/nahsra/antisamy/releases/tag/v1.6.6 | Patch Release Notes Third Party Advisory |
Configurations
History
03 May 2022, 20:49
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-79 | |
| CVSS |
v2 : v3 : |
v2 : 4.3
v3 : 6.1 |
| CPE | cpe:2.3:a:antisamy_project:antisamy:*:*:*:*:*:*:*:* | |
| First Time |
Antisamy Project antisamy
Antisamy Project |
|
| References | (MISC) https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae - Patch, Third Party Advisory | |
| References | (MISC) https://github.com/nahsra/antisamy/releases/tag/v1.6.6 - Patch, Release Notes, Third Party Advisory |
21 Apr 2022, 23:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2022-04-21 23:15
Updated : 2023-12-10 14:22
NVD link : CVE-2022-28367
Mitre link : CVE-2022-28367
CVE.ORG link : CVE-2022-28367
JSON object : View
Products Affected
antisamy_project
- antisamy
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')