Description

OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents.

Remediation

References

https://github.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e

https://github.com/OWASP/json-sanitizer/compare/v1.2.1...v1.2.2

https://groups.google.com/g/json-sanitizer-support/c/dAW1AeNMoA0

Related Vulnerabilities

CVE-2012-4387 Vulnerability in maven package org.apache.struts.xwork:xwork-core

CVE-2022-28220 Vulnerability in maven package org.apache.james.protocols:protocols-api

CVE-2019-10907 Vulnerability in maven package org.airsonic.player:airsonic-main

CVE-2014-2064 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2022-42496 Vulnerability in npm package nadesiko3

Severity

Critical

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory