CVE-2021-35043: OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a…

medium6.1CVSS 3.1

AVNACLPRNUIRSCCLILAN

OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with : as the replacement for the : character.

Affected

26 ranges· showing 25

Vendor	Product	Version range	Fixed in
antisamy_project	antisamy	< 1.6.4	1.6.4
debian	libowasp-antisamy-java	< libowasp-antisamy-java 1.7.4-1 (forky)	libowasp-antisamy-java 1.7.4-1 (forky)
oracle	banking_enterprise_default_management	—	—
oracle	banking_enterprise_default_management	—	—
oracle	banking_enterprise_default_management	—	—
oracle	banking_enterprise_default_management	—	—
oracle	banking_enterprise_default_management	—	—
oracle	banking_enterprise_default_managment	2.3.0 – 2.4.0	—
oracle	banking_party_management	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	2.3.0 – 2.4.1	—
oracle	insurance_policy_administration	—	—
oracle	insurance_policy_administration	—	—
oracle	insurance_policy_administration	—	—
oracle	insurance_policy_administration	—	—
oracle	insurance_policy_administration	—	—
oracle	middleware_common_libraries_and_tools	—	—
oracle	middleware_common_libraries_and_tools	—	—
oracle	retail_back_office	—	—
oracle	retail_back_office	—	—
oracle	retail_central_office	—	—
oracle	retail_central_office	—	—
oracle	retail_returns_management	—	—

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

osv6.1MEDIUM