ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the antisamy-esapi.xml configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the antisamy-esapi.xml configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.
{
"cwe_ids": [
"CWE-79"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24891.json",
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:owasp:enterprise_security_api:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "2.2.3.1"
},
{
"fixed": "2.3.0.0"
}
],
"source": [
"AFFECTED_FIELD",
"CPE_RANGE"
]
}