CVE-2022-24891

MEDIUM

OWASP Enterprise Security API < 2.3.0.0 - Cross-Site Scripting via antisamy-esapi.xml onsiteURL Regex

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-24891. PoCs published by shoucheng3.

AI-analyzed exploit summary This repository contains the OWASP ESAPI (Enterprise Security API) for Java (Legacy) project, which is a security control library. The README provides project details, release notes, and contribution guidelines but does not include exploit code or a proof-of-concept for CVE-2022-24891.

Description

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.

Exploits (1)

nomisec WRITEUP

by shoucheng3 · poc

https://github.com/shoucheng3/ESAPI__esapi-java-legacy_CVE-2022-24891_2-2-3-1

View Code ZIP pw:eip

This repository contains the OWASP ESAPI (Enterprise Security API) for Java (Legacy) project, which is a security control library. The README provides project details, release notes, and contribution guidelines but does not include exploit code or a proof-of-concept for CVE-2022-24891.

Classification

Writeup 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: OWASP ESAPI for Java (Legacy)

No auth needed

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2025/07/msg00010.html

Exploit, Mitigation, Third Party Advisory

https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf

View Exploit ZIP pw:eip

Release Notes

https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt

Third Party Advisory

https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q

Third Party Advisory

https://security.netapp.com/advisory/ntap-20230127-0014/

Patch, Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 5.4

EPSS 0.0103

EPSS Percentile 77.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (7)

netapp/active_iq_unified_manager (3 CPE variants)

netapp/oncommand_workflow_automation

oracle/weblogic_server 12.2.1.3.0

oracle/weblogic_server 12.2.1.4.0

oracle/weblogic_server 14.1.1.0.0

org.owasp.esapi/esapi 0 - 2.3.0.0Maven

owasp/enterprise_security_api < 2.3.0.0

Published Apr 27, 2022

Tracked Since Feb 18, 2026