Headline
CVE-2022-28367: Release Release version 1.6.6 · nahsra/antisamy
OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.
This release addresses the following issues:
- This release fixes 3 security issues reported by researcher Hyeong Gwan, Yi
CVEs for these have not been created yet, so we are not providing any details on the issues at this time.
Enhancement #147: Add require-closing-tags to default AntiSamy policy file
Bug #151: Change in behavior between 1.6.4 and 1.6.5 for getErrorMessages
We accidentally stopped propagating an errorMessages parameter in 1 API. This is now fixed.
NOTIFICATION 1: This 1.6.6 release has 2 dependencies which require Java 8, although the AntiSamy source code itself still only requires Java 7.
NOTIFICATION 2: The 1.7.0 release will drop support for several things deprecated in the 1.6.x series of releases.
a) AntiSamy 1.6.0 introduced XML schema validation for AntiSamy policy files to address issue #58. In all the 1.6.X releases, enforcement of schema validation is optional, with warnings generated to indicate it should be enforced. Starting with AntiSamy 1.7.0 this will no longer be optional.
To support this new feature, but keep it optional, 2 new Policy class methods were created, and immediately deprecated:
public static boolean getSchemaValidation()
public static void setSchemaValidation(boolean enable)
These two methods will be dropped in the 1.7.0 release, and any AntiSamy policy files that fail schema validation will result in an error and have to be fixed.
b) AntiSamy 1.6.5 changed some APIs. Specifically:
These constructors are now @deprecated:
public CssHandler(Policy policy, LinkedList embeddedStyleSheets, List errorMessages, ResourceBundle messages)
public CssHandler(Policy policy, LinkedList embeddedStyleSheets, List errorMessages, String tagName, ResourceBundle messages)
And are being replaced with:
public CssHandler(Policy policy, List errorMessages, ResourceBundle messages)
public CssHandler(Policy policy, List errorMessages, ResourceBundle messages, String tagName) <-- Notice that the tagName is now the last parameter in the new API.
Both constructors drop the 2nd parameter (the queue of stylesheets imported), as that queue is now created inside this constructor. A reference to this queue (if needed) can be retrieved by using the new method:
public LinkedList getImportedStylesheetsURIList()
c) This 1.6.6 release deprecates support for Xhtml. As such, the following are deprecated:
The constant: Policy.USE_XHTML = "useXHTML";
The method: InternalPolicy.isXhtml()
The entire class: org/owasp/validator/html/scan/ASXHTMLSerializer.java
We plan to remove everything deprecated in the 1.7.0 release.
Related news
OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367.
Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=student_p&id=.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/pagerole.php&action=edit&roleid=.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/inbox.php&action=read&msgid=.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/inbox.php&action=delete&msgid=.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/siteoptions.php&action=displaygoal&value=1&roleid=1.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&&action=delete&userid=4.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=display&value=Hide&userid=.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=display&value=Show&userid=.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=type&userrole=Admin&userid=3.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin.php?id=siteoptions&social=display&value=0&sid=2.
An arbitrary file upload vulnerability in UCMS v1.6 allows attackers to execute arbitrary code via a crafted PHP file.
KiteCMS v1.1.1 was discovered to contain an arbitrary file read vulnerability via the background management module.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&action=delete.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/pagerole.php&action=display&value=1&roleid=.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin.php?id=posts&action=display&value=1&postid=.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&action=edit.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=type&userrole=User&userid=.
Victor v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component admin/profile.php?section=admin.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/siteoptions.php&social=remove&sid=2.
Purchase Order Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via /purchase_order/admin/?page=user.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via BabyCare/admin.php?id=theme&setid=.
Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=grade.
Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/admin/?page=agents/manage_agent.
Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=school_year.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&find=.
The Labeling tool in Titus Classification Suite 18.8.1910.140 allows users to avoid the generation of a classification label by using Excel's safe mode.
Time-of-check Time-of-use (TOCTOU) Race Condition vulerability in Foscam R2C IP camera running System FW <= 1.13.1.6, and Application FW <= 2.91.2.66, allows an authenticated remote attacker with administrator permissions to execute arbitrary remote code via a malicious firmware patch. The impact of this vulnerability is that the remote attacker could gain full remote access to the IP camera and the underlying Linux system with root permissions. With root access to the camera's Linux OS, an attacker could effectively change the code that is running, add backdoor access, or invade the privacy of the user by accessing the live camera stream.
The Bulletproofs 2017/1066 paper mishandles Fiat-Shamir generation because the hash computation fails to include all of the public values from the Zero Knowledge proof statement as well as all of the public values computed in the proof, aka the Frozen Heart issue.
The CVEProject/cve-services is an open source project used to operate the CVE services api. In versions up to and including 1.1.1 the `org.conroller.js` code would erroneously log user secrets. This has been resolved in commit `46d98f2b` and should be available in subsequent versions of the software. Users of the software are advised to manually apply the `46d98f2b` commit or to update when a new version becomes available. As a workaround users should inspect their logs and remove logged secrets as appropriate.
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can exploit a lack of sanitization on SVG file uploads and inject javascript into their user avatar. As a result any user viewing the avatar will be subject to a cross site scripting attack. Users of GLPI are advised to upgrade. Users unable to upgrade should disallow SVG avatars.
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the rendered page, we can see the password for the root dn. Users are advised to upgrade. There is no known workaround for this issue.
Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue.
Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render.php?operation=wizard_helper` page did not properly escape the user supplied parameters, allowing for a cross site scripting attack vector. Users are advised to upgrade. There are no known workarounds for this issue.
An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6.