cvelist/2022/24xxx/CVE-2022-24891.json

{
    "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-24891",
        "STATE": "PUBLIC",
        "TITLE": "Cross-site Scripting in org.owasp.esapi:esapi -- antisamy-esapi.xml configuration file"
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "product": {
                        "product_data": [
                            {
                                "product_name": "esapi-java-legacy",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_value": "<= 2.2.3.1"
                                        }
                                    ]
                                }
                            }
                        ]
                    },
                    "vendor_name": "ESAPI"
                }
            ]
        }
    },
    "data_format": "MITRE",
    "data_type": "CVE",
    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for \"onsiteURL\" in the **antisamy-esapi.xml** configuration file that can cause \"javascript:\" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the \"onsiteURL\" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin."
            }
        ]
    },
    "impact": {
        "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
        }
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
                    }
                ]
            }
        ]
    },
    "references": {
        "reference_data": [
            {
                "name": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt",
                "refsource": "MISC",
                "url": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt"
            },
            {
                "name": "https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q",
                "refsource": "CONFIRM",
                "url": "https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q"
            },
            {
                "name": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf",
                "refsource": "MISC",
                "url": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf"
            },
            {
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html",
                "refsource": "MISC",
                "name": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
        ]
    },
    "source": {
        "advisory": "GHSA-q77q-vx4q-xx6q",
        "discovery": "UNKNOWN"
    }
}
"-Synchronized-Data." 2022-02-10 17:01:34 +00:00			`{`
			`"CVE_data_meta": {`
Add CVE-2022-24891 for GHSA-q77q-vx4q-xx6q Add CVE-2022-24891 for GHSA-q77q-vx4q-xx6q 2022-04-27 20:11:14 +00:00			`"ASSIGNER": "security-advisories@github.com",`
"-Synchronized-Data." 2022-02-10 17:01:34 +00:00			`"ID": "CVE-2022-24891",`
Add CVE-2022-24891 for GHSA-q77q-vx4q-xx6q Add CVE-2022-24891 for GHSA-q77q-vx4q-xx6q 2022-04-27 20:11:14 +00:00			`"STATE": "PUBLIC",`
			`"TITLE": "Cross-site Scripting in org.owasp.esapi:esapi -- antisamy-esapi.xml configuration file"`
"-Synchronized-Data." 2022-02-10 17:01:34 +00:00			`},`
Add CVE-2022-24891 for GHSA-q77q-vx4q-xx6q Add CVE-2022-24891 for GHSA-q77q-vx4q-xx6q 2022-04-27 20:11:14 +00:00			`"affects": {`
			`"vendor": {`
			`"vendor_data": [`
			`{`
			`"product": {`
			`"product_data": [`
			`{`
			`"product_name": "esapi-java-legacy",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_value": "<= 2.2.3.1"`
			`}`
			`]`
			`}`
			`}`
			`]`
			`},`
			`"vendor_name": "ESAPI"`
			`}`
			`]`
			`}`
			`},`
			`"data_format": "MITRE",`
			`"data_type": "CVE",`
			`"data_version": "4.0",`
"-Synchronized-Data." 2022-02-10 17:01:34 +00:00			`"description": {`
			`"description_data": [`
			`{`
			`"lang": "eng",`
Add CVE-2022-24891 for GHSA-q77q-vx4q-xx6q Add CVE-2022-24891 for GHSA-q77q-vx4q-xx6q 2022-04-27 20:11:14 +00:00			"value": "ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for \"onsiteURL\" in the antisamy-esapi.xml configuration file that can cause \"javascript:\" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the antisamy-esapi.xml configuration files to change the \"onsiteURL\" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin."
"-Synchronized-Data." 2022-02-10 17:01:34 +00:00			`}`
			`]`
Add CVE-2022-24891 for GHSA-q77q-vx4q-xx6q Add CVE-2022-24891 for GHSA-q77q-vx4q-xx6q 2022-04-27 20:11:14 +00:00			`},`
			`"impact": {`
			`"cvss": {`
			`"attackComplexity": "LOW",`
			`"attackVector": "NETWORK",`
			`"availabilityImpact": "NONE",`
			`"baseScore": 5.4,`
			`"baseSeverity": "MEDIUM",`
			`"confidentialityImpact": "LOW",`
			`"integrityImpact": "LOW",`
			`"privilegesRequired": "NONE",`
			`"scope": "UNCHANGED",`
			`"userInteraction": "REQUIRED",`
			`"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",`
			`"version": "3.1"`
			`}`
			`},`
			`"problemtype": {`
			`"problemtype_data": [`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
			`"value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"`
			`}`
			`]`
			`}`
			`]`
			`},`
			`"references": {`
			`"reference_data": [`
"-Synchronized-Data." 2022-04-27 21:01:31 +00:00			`{`
			`"name": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt",`
			`"refsource": "MISC",`
			`"url": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt"`
			`},`
Add CVE-2022-24891 for GHSA-q77q-vx4q-xx6q Add CVE-2022-24891 for GHSA-q77q-vx4q-xx6q 2022-04-27 20:11:14 +00:00			`{`
			`"name": "https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q",`
			`"refsource": "CONFIRM",`
			`"url": "https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q"`
			`},`
			`{`
			`"name": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf",`
			`"refsource": "MISC",`
			`"url": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf"`
Oracle CPU July 2022 3rd Party CVEs On branch cna/Oracle/CPU2022Jul3rd Changes to be committed: modified: 2014/3xxx/CVE-2014-3643.json modified: 2016/1000xxx/CVE-2016-1000031.json modified: 2018/18xxx/CVE-2018-18074.json modified: 2018/1xxx/CVE-2018-1259.json modified: 2018/1xxx/CVE-2018-1273.json modified: 2018/1xxx/CVE-2018-1274.json modified: 2018/25xxx/CVE-2018-25032.json modified: 2018/8xxx/CVE-2018-8032.json modified: 2019/0xxx/CVE-2019-0219.json modified: 2019/0xxx/CVE-2019-0220.json modified: 2019/0xxx/CVE-2019-0227.json modified: 2019/10xxx/CVE-2019-10082.json modified: 2019/10xxx/CVE-2019-10086.json modified: 2019/17xxx/CVE-2019-17495.json modified: 2019/17xxx/CVE-2019-17566.json modified: 2019/17xxx/CVE-2019-17571.json modified: 2019/20xxx/CVE-2019-20388.json modified: 2019/20xxx/CVE-2019-20916.json modified: 2019/9xxx/CVE-2019-9636.json modified: 2019/9xxx/CVE-2019-9740.json modified: 2020/0xxx/CVE-2020-0404.json modified: 2020/10xxx/CVE-2020-10683.json modified: 2020/11xxx/CVE-2020-11022.json modified: 2020/11xxx/CVE-2020-11023.json modified: 2020/11xxx/CVE-2020-11987.json modified: 2020/13xxx/CVE-2020-13974.json modified: 2020/14xxx/CVE-2020-14343.json modified: 2020/17xxx/CVE-2020-17521.json modified: 2020/1xxx/CVE-2020-1747.json modified: 2020/1xxx/CVE-2020-1927.json modified: 2020/24xxx/CVE-2020-24977.json modified: 2020/25xxx/CVE-2020-25638.json modified: 2020/25xxx/CVE-2020-25649.json modified: 2020/25xxx/CVE-2020-25659.json modified: 2020/26xxx/CVE-2020-26137.json modified: 2020/26xxx/CVE-2020-26184.json modified: 2020/26xxx/CVE-2020-26185.json modified: 2020/26xxx/CVE-2020-26237.json modified: 2020/27xxx/CVE-2020-27619.json modified: 2020/27xxx/CVE-2020-27820.json modified: 2020/28xxx/CVE-2020-28052.json modified: 2020/28xxx/CVE-2020-28491.json modified: 2020/28xxx/CVE-2020-28500.json modified: 2020/29xxx/CVE-2020-29396.json modified: 2020/29xxx/CVE-2020-29505.json modified: 2020/29xxx/CVE-2020-29506.json modified: 2020/29xxx/CVE-2020-29507.json modified: 2020/29xxx/CVE-2020-29508.json modified: 2020/29xxx/CVE-2020-29651.json modified: 2020/35xxx/CVE-2020-35163.json modified: 2020/35xxx/CVE-2020-35164.json modified: 2020/35xxx/CVE-2020-35166.json modified: 2020/35xxx/CVE-2020-35167.json modified: 2020/35xxx/CVE-2020-35168.json modified: 2020/35xxx/CVE-2020-35169.json modified: 2020/35xxx/CVE-2020-35490.json modified: 2020/35xxx/CVE-2020-35491.json modified: 2020/35xxx/CVE-2020-35728.json modified: 2020/36xxx/CVE-2020-36179.json modified: 2020/36xxx/CVE-2020-36180.json modified: 2020/36xxx/CVE-2020-36181.json modified: 2020/36xxx/CVE-2020-36182.json modified: 2020/36xxx/CVE-2020-36183.json modified: 2020/36xxx/CVE-2020-36184.json modified: 2020/36xxx/CVE-2020-36185.json modified: 2020/36xxx/CVE-2020-36186.json modified: 2020/36xxx/CVE-2020-36187.json modified: 2020/36xxx/CVE-2020-36188.json modified: 2020/36xxx/CVE-2020-36189.json modified: 2020/36xxx/CVE-2020-36242.json modified: 2020/36xxx/CVE-2020-36518.json modified: 2020/4xxx/CVE-2020-4788.json modified: 2020/5xxx/CVE-2020-5258.json modified: 2020/5xxx/CVE-2020-5397.json modified: 2020/5xxx/CVE-2020-5398.json modified: 2020/7xxx/CVE-2020-7595.json modified: 2020/7xxx/CVE-2020-7656.json modified: 2020/7xxx/CVE-2020-7712.json modified: 2020/9xxx/CVE-2020-9484.json modified: 2020/9xxx/CVE-2020-9492.json modified: 2021/20xxx/CVE-2021-20322.json modified: 2021/21xxx/CVE-2021-21781.json modified: 2021/22xxx/CVE-2021-22118.json modified: 2021/22xxx/CVE-2021-22119.json modified: 2021/22xxx/CVE-2021-22931.json modified: 2021/22xxx/CVE-2021-22939.json modified: 2021/22xxx/CVE-2021-22940.json modified: 2021/22xxx/CVE-2021-22946.json modified: 2021/22xxx/CVE-2021-22947.json modified: 2021/23xxx/CVE-2021-23337.json modified: 2021/23xxx/CVE-2021-23450.json modified: 2021/23xxx/CVE-2021-23926.json modified: 2021/26xxx/CVE-2021-26291.json modified: 2021/29xxx/CVE-2021-29154.json modified: 2021/29xxx/CVE-2021-29425.json modified: 2021/29xxx/CVE-2021-29505.json modified: 2021/29xxx/CVE-2021-29921.json modified: 2021/30xxx/CVE-2021-30129.json modified: 2021/31xxx/CVE-2021-31684.json modified: 2021/31xxx/CVE-2021-31805.json modified: 2021/31xxx/CVE-2021-31811.json modified: 2021/31xxx/CVE-2021-31812.json modified: 2021/33xxx/CVE-2021-33560.json modified: 2021/33xxx/CVE-2021-33813.json modified: 2021/34xxx/CVE-2021-34141.json modified: 2021/34xxx/CVE-2021-34429.json modified: 2021/35xxx/CVE-2021-35043.json modified: 2021/35xxx/CVE-2021-35515.json modified: 2021/35xxx/CVE-2021-35516.json modified: 2021/35xxx/CVE-2021-35517.json modified: 2021/35xxx/CVE-2021-35940.json modified: 2021/36xxx/CVE-2021-36090.json modified: 2021/36xxx/CVE-2021-36373.json modified: 2021/36xxx/CVE-2021-36374.json modified: 2021/37xxx/CVE-2021-37136.json modified: 2021/37xxx/CVE-2021-37137.json modified: 2021/37xxx/CVE-2021-37159.json modified: 2021/37xxx/CVE-2021-37714.json modified: 2021/37xxx/CVE-2021-37750.json modified: 2021/38xxx/CVE-2021-38153.json modified: 2021/38xxx/CVE-2021-38296.json modified: 2021/38xxx/CVE-2021-38604.json modified: 2021/39xxx/CVE-2021-39139.json modified: 2021/39xxx/CVE-2021-39140.json modified: 2021/39xxx/CVE-2021-39141.json modified: 2021/39xxx/CVE-2021-39144.json modified: 2021/39xxx/CVE-2021-39145.json modified: 2021/39xxx/CVE-2021-39146.json modified: 2021/39xxx/CVE-2021-39147.json modified: 2021/39xxx/CVE-2021-39148.json modified: 2021/39xxx/CVE-2021-39149.json modified: 2021/39xxx/CVE-2021-39150.json modified: 2021/39xxx/CVE-2021-39151.json modified: 2021/39xxx/CVE-2021-39152.json modified: 2021/39xxx/CVE-2021-39153.json modified: 2021/39xxx/CVE-2021-39154.json modified: 2021/3xxx/CVE-2021-3177.json modified: 2021/3xxx/CVE-2021-3449.json modified: 2021/3xxx/CVE-2021-3450.json modified: 2021/3xxx/CVE-2021-3517.json modified: 2021/3xxx/CVE-2021-3518.json modified: 2021/3xxx/CVE-2021-3537.json modified: 2021/3xxx/CVE-2021-3572.json modified: 2021/3xxx/CVE-2021-3612.json modified: 2021/3xxx/CVE-2021-3672.json modified: 2021/3xxx/CVE-2021-3737.json modified: 2021/3xxx/CVE-2021-3743.json modified: 2021/3xxx/CVE-2021-3744.json modified: 2021/3xxx/CVE-2021-3749.json modified: 2021/3xxx/CVE-2021-3752.json modified: 2021/3xxx/CVE-2021-3772.json modified: 2021/3xxx/CVE-2021-3773.json modified: 2021/40xxx/CVE-2021-40690.json modified: 2021/41xxx/CVE-2021-41164.json modified: 2021/41xxx/CVE-2021-41165.json modified: 2021/41xxx/CVE-2021-41182.json modified: 2021/41xxx/CVE-2021-41183.json modified: 2021/41xxx/CVE-2021-41184.json modified: 2021/41xxx/CVE-2021-41303.json modified: 2021/41xxx/CVE-2021-41495.json modified: 2021/41xxx/CVE-2021-41496.json modified: 2021/41xxx/CVE-2021-41617.json modified: 2021/41xxx/CVE-2021-41771.json modified: 2021/41xxx/CVE-2021-41772.json modified: 2021/42xxx/CVE-2021-42340.json modified: 2021/42xxx/CVE-2021-42575.json modified: 2021/42xxx/CVE-2021-42739.json modified: 2021/43xxx/CVE-2021-43389.json modified: 2021/43xxx/CVE-2021-43396.json modified: 2021/43xxx/CVE-2021-43797.json modified: 2021/43xxx/CVE-2021-43818.json modified: 2021/43xxx/CVE-2021-43859.json modified: 2021/43xxx/CVE-2021-43976.json modified: 2021/44xxx/CVE-2021-44228.json modified: 2021/44xxx/CVE-2021-44531.json modified: 2021/44xxx/CVE-2021-44532.json modified: 2021/44xxx/CVE-2021-44533.json modified: 2021/44xxx/CVE-2021-44832.json modified: 2021/45xxx/CVE-2021-45046.json modified: 2021/45xxx/CVE-2021-45105.json modified: 2021/45xxx/CVE-2021-45485.json modified: 2021/45xxx/CVE-2021-45486.json modified: 2021/45xxx/CVE-2021-45943.json modified: 2021/4xxx/CVE-2021-4002.json modified: 2021/4xxx/CVE-2021-4083.json modified: 2021/4xxx/CVE-2021-4104.json modified: 2021/4xxx/CVE-2021-4115.json modified: 2021/4xxx/CVE-2021-4157.json modified: 2021/4xxx/CVE-2021-4160.json modified: 2021/4xxx/CVE-2021-4197.json modified: 2021/4xxx/CVE-2021-4203.json modified: 2022/0xxx/CVE-2022-0001.json modified: 2022/0xxx/CVE-2022-0002.json modified: 2022/0xxx/CVE-2022-0286.json modified: 2022/0xxx/CVE-2022-0322.json modified: 2022/0xxx/CVE-2022-0778.json modified: 2022/0xxx/CVE-2022-0839.json modified: 2022/1xxx/CVE-2022-1011.json modified: 2022/1xxx/CVE-2022-1154.json modified: 2022/1xxx/CVE-2022-1292.json modified: 2022/21xxx/CVE-2022-21824.json modified: 2022/22xxx/CVE-2022-22720.json modified: 2022/22xxx/CVE-2022-22721.json modified: 2022/22xxx/CVE-2022-22946.json modified: 2022/22xxx/CVE-2022-22947.json modified: 2022/22xxx/CVE-2022-22963.json modified: 2022/22xxx/CVE-2022-22965.json modified: 2022/22xxx/CVE-2022-22968.json modified: 2022/22xxx/CVE-2022-22969.json modified: 2022/22xxx/CVE-2022-22970.json modified: 2022/22xxx/CVE-2022-22971.json modified: 2022/22xxx/CVE-2022-22976.json modified: 2022/22xxx/CVE-2022-22978.json modified: 2022/23xxx/CVE-2022-23181.json modified: 2022/23xxx/CVE-2022-23218.json modified: 2022/23xxx/CVE-2022-23219.json modified: 2022/23xxx/CVE-2022-23221.json modified: 2022/23xxx/CVE-2022-23302.json modified: 2022/23xxx/CVE-2022-23305.json modified: 2022/23xxx/CVE-2022-23307.json modified: 2022/23xxx/CVE-2022-23308.json modified: 2022/23xxx/CVE-2022-23437.json modified: 2022/23xxx/CVE-2022-23457.json modified: 2022/23xxx/CVE-2022-23632.json modified: 2022/23xxx/CVE-2022-23772.json modified: 2022/23xxx/CVE-2022-23773.json modified: 2022/23xxx/CVE-2022-23806.json modified: 2022/24xxx/CVE-2022-24329.json modified: 2022/24xxx/CVE-2022-24407.json modified: 2022/24xxx/CVE-2022-24728.json modified: 2022/24xxx/CVE-2022-24729.json modified: 2022/24xxx/CVE-2022-24735.json modified: 2022/24xxx/CVE-2022-24736.json modified: 2022/24xxx/CVE-2022-24801.json modified: 2022/24xxx/CVE-2022-24823.json modified: 2022/24xxx/CVE-2022-24839.json modified: 2022/24xxx/CVE-2022-24891.json modified: 2022/25xxx/CVE-2022-25169.json modified: 2022/25xxx/CVE-2022-25636.json modified: 2022/25xxx/CVE-2022-25647.json modified: 2022/25xxx/CVE-2022-25762.json modified: 2022/25xxx/CVE-2022-25845.json modified: 2022/27xxx/CVE-2022-27778.json modified: 2022/29xxx/CVE-2022-29577.json modified: 2022/29xxx/CVE-2022-29824.json modified: 2022/29xxx/CVE-2022-29885.json modified: 2022/30xxx/CVE-2022-30126.json modified: 2022/34xxx/CVE-2022-34169.json 2022-07-19 14:38:32 -07:00			`},`
			`{`
"-Synchronized-Data." 2022-07-25 19:00:49 +00:00			`"url": "https://www.oracle.com/security-alerts/cpujul2022.html",`
			`"refsource": "MISC",`
			`"name": "https://www.oracle.com/security-alerts/cpujul2022.html"`
Add CVE-2022-24891 for GHSA-q77q-vx4q-xx6q Add CVE-2022-24891 for GHSA-q77q-vx4q-xx6q 2022-04-27 20:11:14 +00:00			`}`
			`]`
			`},`
			`"source": {`
			`"advisory": "GHSA-q77q-vx4q-xx6q",`
			`"discovery": "UNKNOWN"`
"-Synchronized-Data." 2022-02-10 17:01:34 +00:00			`}`
			`}`