CVE-2022-36033Cross-site Scripting in Jsoup

CWE-79Cross-site ScriptingCWE-87Improper Neutralization of Alternate XSS Syntax18 documents9 sources
Severity
6.1MEDIUMNVD
EPSS
1.6%
top 18.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
JHY JsoupJsoup
Timeline
PublishedAug 29
Latest updateApr 15

Description

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Con

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

CVEListV5jhy/jsoup< 1.15.3
NVDjsoup/jsoup< 1.15.3
Debianjsoup/jsoup< 1.15.3-1+2

🔴Vulnerability Details

4
GHSA
jsoup may not sanitize code injection XSS attempts if SafeList.preserveRelativeLinks is enabled2022-09-01
OSV
jsoup may not sanitize code injection XSS attempts if SafeList.preserveRelativeLinks is enabled2022-09-01
CVEList
jsoup may not sanitize Cross-Site Scripting (XSS) attempts if SafeList.preserveRelativeLinks is enabled2022-08-29
OSV
CVE-2022-36033: jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety2022-08-29

📋Vendor Advisories

12
Oracle
Oracle Oracle Analytics Risk Matrix: Platform Security (jsoup) — CVE-2022-360332025-04-15
Oracle
Oracle Oracle Communications Risk Matrix: Security (jsoup) — CVE-2022-360332024-07-15
Oracle
Oracle Oracle Systems Risk Matrix: Tools (jsoup) — CVE-2022-360332024-04-15
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Reports (jsoup) — CVE-2022-360332024-01-15
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Installer (jsoup) — CVE-2022-360332023-10-15
CVE-2022-36033 — Cross-site Scripting in JHY Jsoup | cvebase