CVE-2022-24891Cross-site Scripting in Enterprise Security API

CWE-79Cross-site Scripting8 documents7 sources
Severity
6.1MEDIUMNVD
CNA5.4
EPSS
1.0%
top 22.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Owasp Enterprise Security APIEsapi Esapi-java-legacyOracle Weblogic Server
Timeline
PublishedApr 27
Latest updateApr 16

Description

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

CVEListV5esapi/esapi-java-legacy2.2.3.1
NVDoracle/weblogic_server12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0+2

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
Cross-site Scripting in org.owasp.esapi:esapi2022-04-27
GHSA
Cross-site Scripting in org.owasp.esapi:esapi2022-04-27
CVEList
Cross-site Scripting in org.owasp.esapi:esapi -- antisamy-esapi.xml configuration file2022-04-27
OSV
CVE-2022-24891: ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library2022-04-27

📋Vendor Advisories

3
Ubuntu
ESAPI vulnerabilities2026-04-16
Oracle
Oracle Oracle Analytics Risk Matrix: Security (Enterprise Security API) — CVE-2022-248912023-07-15
Debian
CVE-2022-24891: libowasp-esapi-java - ESAPI (The OWASP Enterprise Security API) is a free, open source, web applicatio...2022
CVE-2022-24891 — Cross-site Scripting | cvebase