CVE-2022-28367

Published: Apr 21, 2022Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.

Affected (1)

Products: Antisamy Project: Antisamy

Antisamy Project

1 product

Antisamy

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Antisamy Project Antisamy	Before 1.6.6

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/nahsra/antisamy/releases/tag/v1.6.6

Source: cve@mitre.org

PatchRelease NotesThird Party Advisory

https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/nahsra/antisamy/releases/tag/v1.6.6

Source: af854a3a-2127-422b-91ae-364da2661108

PatchRelease NotesThird Party Advisory

Timeline

No history available yet.