OWASP AntiSamy is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Versions prior to OWASP AntiSamy prior to1.5.7 are vulnerable.
An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI.
Solution:
Updates are available. Please see the references or vendor advisory for more information.
| Bugtraq ID: | 105656 |
| Class: | Input Validation Error |
| CVE: | CVE-2017-14735 |
| Remote: | Yes |
| Local: | No |
| Published: | Sep 25 2017 12:00AM |
| Updated: | Jul 17 2019 07:00AM |
| Credit: | Raj Veerappan |
| Vulnerable: | Oracle WebCenter Sites 11.1.1 8.0 Oracle Retail Returns Management 14.1 Oracle Retail Returns Management 14.0 Oracle Retail Returns Management 13.4 Oracle Retail Returns Management 13.3 Oracle Retail Central Office 14.1 Oracle Retail Central Office 14.0 Oracle Retail Central Office 13.4 Oracle Retail Central Office 13.3 Oracle Retail Back Office 14.1 Oracle Retail Back Office 14.0 Oracle Retail Back Office 13.4 Oracle Retail Back Office 13.3 Oracle Insurance Policy Administration J2EE 10.2 Oracle Insurance Policy Administration J2EE 10.0 Oracle Insurance Calculation Engine 9.7 Oracle Insurance Calculation Engine 10.2 Oracle Insurance Calculation Engine 10.1 Oracle Insurance Calculation Engine 10.0 Oracle Fusion Middleware MapViewer 12.2.1.3.0 Oracle Fusion Middleware MapViewer 12.1.3.0 Oracle FLEXCUBE Core Banking 11.8 Oracle FLEXCUBE Core Banking 11.7 Oracle FLEXCUBE Core Banking 11.6 Oracle FLEXCUBE Core Banking 5.2 Oracle Banking Platform 2.6.1 Oracle Banking Platform 2.6 Oracle Banking Platform 2.5.0 Oracle Agile PLM 9.3.5 Oracle Agile PLM 9.3.4 Antisamy Project Antisamy 1.5.6 Antisamy Project Antisamy 1.5.4 Antisamy Project Antisamy 1.5.3 Antisamy Project Antisamy 1.5.1 Antisamy Project Antisamy 1.4.4 |
| Not Vulnerable: | Antisamy Project Antisamy 1.5.7 |
References:
- [owasp-antisamy] AntiSamy 1.5.7 released (OWASP)
- Support HTML5 #10 (Nahsra)
- Merging 1.5.7 (#16) (Nahsra)
- Oracle Critical Patch Update Advisory - January 2019 (Oracle)
- Oracle Critical Patch Update Advisory - July 2019 (Oracle)
- Oracle Critical Patch Update Advisory - October 2018 (Oracle)
- OWASP AntiSamy Homepage (OWASP)
from SecurityFocus Vulnerabilities https://ift.tt/2OezMwj
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.