First published: Thu Apr 21 2022(Updated: )
OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Antisamy Project Antisamy | <1.6.7 | |
Oracle Enterprise Manager Base Platform | =13.4.0.0 | |
Oracle Enterprise Manager Base Platform | =13.5.0.0 | |
Oracle WebLogic Server | =12.2.1.3.0 | |
Oracle WebLogic Server | =12.2.1.4.0 | |
Oracle WebLogic Server | =14.1.1.0.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-29577 is a vulnerability in OWASP AntiSamy before 1.6.7 that allows XSS via HTML tag smuggling on STYLE content with crafted input.
CVE-2022-29577 works by exploiting the incomplete fix for CVE-2022-28367 in OWASP AntiSamy, where the output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content, resulting in XSS vulnerability.
The severity of CVE-2022-29577 is medium with a CVSS score of 6.1.
CVE-2022-29577 affects Antisamy Project Antisamy before version 1.6.7, Oracle Enterprise Manager Base Platform versions 13.4.0.0 and 13.5.0.0, and Oracle WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0.
To fix CVE-2022-29577, users should update their OWASP AntiSamy to version 1.6.7 or later.