CVE-2019-10219

MEDIUM

Hibernate-Validator - XSS

Title source: llm

Description

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.

Exploits (4)

nomisec WRITEUP

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2019-10219-hibernate-validator-vulnerable

View Code ZIP pw:eip

nomisec WRITEUP

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2019-10219-hibernate-validator-vulnerable

View Code ZIP pw:eip

nomisec WRITEUP

by shoucheng3 · poc

https://github.com/shoucheng3/hibernate__hibernate-validator_CVE-2019-10219_6_0_18_Final_fixed

View Code ZIP pw:eip

nomisec WRITEUP

by shoucheng3 · poc

https://github.com/shoucheng3/hibernate__hibernate-validator_CVE-2019-10219_6-0-17-Final

View Code ZIP pw:eip

References (19)

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0159

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0160

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0161

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0164

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0445

[Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219

[Various Sources] https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-10219

[Various Sources] https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Origin/CVE-2019-10219/exploit

[Mailing List] https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6%40%3Cnotifications.accumulo.apache.org%3E

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20220210-0024/

[Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2022.html

[Patch] https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56cee

[Patch] https://github.com/hibernate/hibernate-validator/commit/20d729548511ac5cff6fd459f93de137195420fe

[Patch] https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee

[Mailing List] https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba09114897d%40%3Cnotifications.accumulo.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf%40%3Cnotifications.accumulo.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E

Scores

CVSS v3 6.1

EPSS 0.0167

EPSS Percentile 82.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (48)

netapp/active_iq_unified_manager (3 CPE variants)

netapp/element

netapp/management_services_for_element_software_and_netapp_hci

netapp/snapcenter_plug-in

oracle/access_manager 11.1.2.3.0

oracle/access_manager 12.2.1.3.0

oracle/access_manager 12.2.1.4.0

oracle/agile_engineering_data_management 6.2.1.0

oracle/agile_plm 9.3.3

oracle/agile_plm 9.3.6

... and 38 more

Published Nov 08, 2019

Tracked Since Feb 18, 2026