CVE-2022-28367
Published: 21 April 2022
OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.
Priority
Status
Package | Release | Status |
---|---|---|
libowasp-antisamy-java Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
impish |
Ignored
(end of life)
|
|
jammy |
Needs triage
|
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
|
mantic |
Needs triage
|
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.1 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References
- https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae (v1.6.6)
- https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0 (v1.6.7)
- https://github.com/nahsra/antisamy/releases/tag/v1.6.6
- https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae
- https://www.cve.org/CVERecord?id=CVE-2022-28367
- NVD
- Launchpad
- Debian