CVE-2022-28367
Published: 21 April 2022
OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
libowasp-antisamy-java Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Needs triage
|
|
| kinetic |
Ignored
(end of life, was needs-triage)
|
|
| lunar |
Ignored
(end of life, was needs-triage)
|
|
| mantic |
Needs triage
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.1 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References
- https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae (v1.6.6)
- https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0 (v1.6.7)
- https://github.com/nahsra/antisamy/releases/tag/v1.6.6
- https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae
- https://www.cve.org/CVERecord?id=CVE-2022-28367
- NVD
- Launchpad
- Debian