CVE-2022-24891

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.owasp.esapi/esapi

Identifiers

CVE-2022-24891, GHSA-q77q-vx4q-xx6q

Package Slug

maven/org.owasp.esapi/esapi

Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for onsiteURL in the antisamy-esapi.xml configuration file that can cause javascript: URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the antisamy-esapi.xml configuration files to change the onsiteURL regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.

Affected Versions

All versions before 2.3.0.0

Solution

Upgrade to version 2.3.0.0 or above.

Last Modified

2022-05-01

source