Description

OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.

Remediation

References

https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae

https://github.com/nahsra/antisamy/releases/tag/v1.6.6

Related Vulnerabilities

CVE-2023-29199 Vulnerability in npm package vm2

CVE-2021-22696 Vulnerability in maven package org.apache.cxf:cxf-rt-rs-security-oauth2

CVE-2023-34462 Vulnerability in maven package io.netty:netty-handler

CVE-2018-1304 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2022-24819 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Patch Third Party Advisory Release Notes