CVE-2022-29577

CWE-79 — Cross-site Scripting (XSS)10 documents6 sources

Severity

6.1MEDIUM

EPSS

0.2%

top 52.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Antisamy Project Antisamy Oracle Enterprise Manager Base Platform Oracle Weblogic Server

Timeline

PublishedApr 21

Latest updateOct 15

Description

OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶Mavenorg.owasp.antisamy:antisamy< 1.6.7

▶NVDantisamy_project/antisamy< 1.6.7

▶NVDoracle/weblogic_server12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0+2

▶NVDoracle/enterprise_manager_base_platform13.4.0.0, 13.5.0.0+1

Patches

Patch: github.com ↗Patch: www.oracle.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Cross-site Scripting in OWASP AntiSamy↗2022-04-23

▶

GHSA

Cross-site Scripting in OWASP AntiSamy↗2022-04-23

▶

OSV

CVE-2022-29577: OWASP AntiSamy before 1↗2022-04-21

▶

CVEList

CVE-2022-29577: OWASP AntiSamy before 1↗2022-04-21

▶

📋Vendor Advisories

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: UI (AntiSamy) — CVE-2022-29577↗2023-10-15

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Application (AntiSamy) — CVE-2022-29577↗2023-04-15

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Collections (AntiSamy) — CVE-2022-29577↗2022-10-15

▶

Oracle

Oracle Oracle Enterprise Manager Risk Matrix: Enterprise Manager Install (AntiSamy) — CVE-2022-29577↗2022-07-15

▶

Debian

CVE-2022-29577: libowasp-antisamy-java - OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content w...↗2022

▶