Fluid Attacks Database

Description

Cross-site Scripting in OWASP AntiSamy OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with &#00058 as the replacement for the : character.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.owasp.antisamy:antisamy	>=1.5.7 <1.6.4	1.6.4
debian 13	libowasp-antisamy-java	>=0 <1.7.4-1	1.7.4-1
debian 12	libowasp-antisamy-java	=1.5.3+dfsg-1.1 \|\| =1.7.4-1	-
debian 11	libowasp-antisamy-java	=1.5.3+dfsg-1.1 \|\| =1.7.4-1	-
debian 14	libowasp-antisamy-java	>=0 <1.7.4-1	1.7.4-1

Aliases

1. CVE-2021-350432. NVD-2021-350433. OSV-2021-350434. OSV-DEBIAN-2021-350435. GCVE-2021-350436. SECURITY-TRACKER-CVE-2021-35043

References

1. https://github.com/nahsra/antisamy/pull/872. https://github.com/nahsra/antisamy/releases/tag/v1.6.43. https://www.oracle.com/security-alerts/cpuapr2022.html4. https://www.oracle.com/security-alerts/cpujan2022.html5. https://www.oracle.com/security-alerts/cpujul2022.html6. https://www.oracle.com/security-alerts/cpuoct2021.html