CVE-2022-24891: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
(updated )
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for onsiteURL in the antisamy-esapi.xml configuration file that can cause javascript: URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the antisamy-esapi.xml configuration files to change the onsiteURL regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers’ release notes and security bulletin.
References
- github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf
- github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt
- github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q
- github.com/advisories/GHSA-q77q-vx4q-xx6q
- nvd.nist.gov/vuln/detail/CVE-2022-24891
Detect and mitigate CVE-2022-24891 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →