CVE-2021-35043

OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with &#00058 as the replacement for the : character.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
VendorProductVersion
antisamy_projectantisamy
𝑥
< 1.6.4
oracleretail_back_office
14.0
oracleretail_back_office
14.1
oracleretail_central_office
14.0
oracleretail_central_office
14.1
oracleretail_returns_management
14.0
oracleretail_returns_management
14.1
oraclebanking_enterprise_default_management
2.6.2
oraclebanking_enterprise_default_management
2.7.0
oraclebanking_enterprise_default_management
2.7.1
oraclebanking_enterprise_default_management
2.10.0
oraclebanking_enterprise_default_management
2.12.0
oraclebanking_enterprise_default_managment
2.3.0 ≤
𝑥
≤ 2.4.0
oraclebanking_party_management
2.7.0
oraclebanking_platform
2.3.0 ≤
𝑥
≤ 2.4.1
oraclebanking_platform
2.6.2
oraclebanking_platform
2.7.0
oraclebanking_platform
2.7.1
oracleinsurance_policy_administration
11.0.2
oracleinsurance_policy_administration
11.1.0
oracleinsurance_policy_administration
11.2.8
oracleinsurance_policy_administration
11.3.0
oracleinsurance_policy_administration
11.3.1
oraclemiddleware_common_libraries_and_tools
12.2.1.3.0
oraclemiddleware_common_libraries_and_tools
12.2.1.4.0
netappactive_iq_unified_manager
-
netappactive_iq_unified_manager
-
netappactive_iq_unified_manager
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libowasp-antisamy-java
bookworm
ignored
bullseye
no-dsa
buster
no-dsa
stretch
no-dsa
sid
1.7.4-1
fixed
trixie
1.7.4-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libowasp-antisamy-java
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/nahsra/antisamy/pull/87
https://github.com/nahsra/antisamy/releases/tag/v1.6.4
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://github.com/nahsra/antisamy/pull/87
https://github.com/nahsra/antisamy/releases/tag/v1.6.4
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html