CVE-2022-24891

Published: Apr 27, 2022Modified: Nov 3, 2025

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.

Affected (8)

Products: Owasp: Enterprise Security Api · Oracle: Weblogic Server · Netapp: Active Iq Unified Manager, Oncommand Workflow Automation

Owasp

1 product

Enterprise Security Api

Oracle

1 product

Weblogic Server

Netapp

2 products

Active Iq Unified Manager

Oncommand Workflow Automation

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Owasp Enterprise Security Api	Before 2.3.0.0

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Oracle Weblogic Server	Version 12.2.1.3.0
Oracle Weblogic Server	Version 12.2.1.4.0
Oracle Weblogic Server	Version 14.1.1.0.0

Configuration C

4 vulnerable

Vulnerable Software	Affected Versions
Netapp Active Iq Unified Manager	All versions
Netapp Active Iq Unified Manager	All versions
Netapp Active Iq Unified Manager	All versions
Netapp Oncommand Workflow Automation	All versions