CVE-2022-29577

MEDIUM

Antisamy < 1.6.7 - XSS

Title source: rule

Description

OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367.

Exploits (1)

nomisec WRITEUP

by shoucheng3 · poc

https://github.com/shoucheng3/nahsra__antisamy_CVE-2022-29577_1-6-6-1

View Code ZIP pw:eip

References (3)

[Patch] https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0

[Release Notes] https://github.com/nahsra/antisamy/releases/tag/v1.6.7

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 6.1

EPSS 0.0024

EPSS Percentile 47.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (7)

antisamy_project/antisamy < 1.6.7

oracle/enterprise_manager_base_platform 13.4.0.0

oracle/enterprise_manager_base_platform 13.5.0.0

oracle/weblogic_server 12.2.1.3.0

oracle/weblogic_server 12.2.1.4.0

oracle/weblogic_server 14.1.1.0.0

org.owasp.antisamy/antisamy 0 - 1.6.7Maven

Published Apr 21, 2022

Tracked Since Feb 18, 2026