Description


OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with &#00058 as the replacement for the : character.

Related CPE's



a

oracle

retail_back_office

2

a

oracle

retail_central_office

2

a

oracle

retail_returns_management

2

a

oracle

banking_enterprise_default_management

5



a

oracle

banking_platform

4

a

oracle

insurance_policy_administration

5

a

oracle

middleware_common_libraries_and_tools

2

a

netapp

active_iq_unified_manager

3

Weaknesses



CWE-79

CVSS impact metrics


CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.1 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information


Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2021-07-19T15:15:07.747

3 years ago

Last modified

2022-10-29T02:49:41.783

2 years ago