CVE-2021-35043

CWE-79 — Cross-site Scripting (XSS)11 documents7 sources

Severity

6.1MEDIUM

EPSS

0.4%

top 42.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Antisamy Project Antisamy Oracle Banking Enterprise Default Managment Oracle Banking Platform +7 more

Timeline

PublishedJul 19

Latest updateApr 15

Description

OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with : as the replacement for the : character.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages12 packages

▶Mavenorg.owasp.antisamy:antisamy1.5.7 — 1.6.4

▶Debianlibowasp-antisamy-java< 1.7.4-1+1

▶NVDantisamy_project/antisamy< 1.6.4

▶NVDoracle/banking_platform2.3.0 — 2.4.1+3

▶NVDoracle/banking_enterprise_default_managment2.3.0 — 2.4.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Cross-site Scripting in OWASP AntiSamy↗2021-08-02

▶

GHSA

Cross-site Scripting in OWASP AntiSamy↗2021-08-02

▶

CVEList

CVE-2021-35043: OWASP AntiSamy before 1↗2021-07-19

▶

OSV

CVE-2021-35043: OWASP AntiSamy before 1↗2021-07-19

▶

📋Vendor Advisories

Oracle

Oracle Oracle Insurance Applications Risk Matrix: Logger (AntiSamy) — CVE-2021-35043↗2023-04-15

▶

Oracle

Oracle Oracle Insurance Applications Risk Matrix: Architecture (AntiSamy) — CVE-2021-35043↗2022-04-15

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Collections (AntiSamy) — CVE-2021-35043↗2022-01-15

▶

Oracle

Oracle Oracle Retail Applications Risk Matrix: Employee (AntiSamy) — CVE-2021-35043↗2021-10-15

▶

Red Hat

AntiSamy: XSS via HTML attributes↗2021-07-19

▶