CVE-2023-1932

MEDIUM

Hibernate Validator - XSS

Title source: llm

Description

A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.

References (2)

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2023-1932

[Issue Tracking, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1809444

Scores

CVSS v3 6.1

EPSS 0.0062

EPSS Percentile 69.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (8)

redhat/codeready_studio

redhat/jboss_enterprise_application_platform

redhat/openstack_platform

redhat/single_sign-on

hibernate/hibernate-validator < 6.2

org.hibernate.validator/hibernate-validator < 6.2.0.FinalMaven

org.hibernate/hibernate-validator < 6.2.0.FinalMaven

Timeline

Published Nov 07, 2024

Tracked Since Feb 18, 2026