Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-29577

OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367.

Published

2022-04-21T23:15:10.467

Last Modified

2024-11-21T06:59:20.210

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.1 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	antisamy_project	antisamy	< 1.6.7	Yes
Application	oracle	enterprise_manager_base_platform	13.4.0.0	Yes
Application	oracle	enterprise_manager_base_platform	13.5.0.0	Yes
Application	oracle	weblogic_server	12.2.1.3.0	Yes
Application	oracle	weblogic_server	12.2.1.4.0	Yes
Application	oracle	weblogic_server	14.1.1.0.0	Yes

References

https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0 Patch ([email protected])
https://github.com/nahsra/antisamy/releases/tag/v1.6.7 Release Notes ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory ([email protected])
https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nahsra/antisamy/releases/tag/v1.6.7 Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)