CVE-2022-24891
published 2022-04-27CVE-2022-24891: ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for…
medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libowasp-esapi-java | < libowasp-esapi-java 2.4.0.0-1 (bookworm) | libowasp-esapi-java 2.4.0.0-1 (bookworm) |
| esapi | esapi-java-legacy | <= 2.2.3.1 | — |
| oracle | weblogic_server | — | — |
| oracle | weblogic_server | — | — |
| oracle | weblogic_server | — | — |
| owasp | enterprise_security_api | < 2.3.0.0 | 2.3.0.0 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM