CVE-2022-28367
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-28367
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-28367.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-28367
- Aliases
- Downstream
- Published
- 2022-04-21T23:15:10.427Z
- Modified
- 2025-11-20T12:06:16.417345Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.
- References
Affected packages
Git / github.com/nahsra/antisamy
Affected ranges
- Type
- GIT
- Repo
- https://github.com/nahsra/antisamy
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
1.*
1.6.3
v1.*
v1.5.10
v1.5.11
v1.5.12
v1.5.13
v1.5.7
v1.5.8
v1.5.9
v1.6.0
v1.6.1
v1.6.2
v1.6.4
v1.6.5
Database specific
vanir_signatures
[
{
"deprecated": false,
"source": "https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae",
"id": "CVE-2022-28367-0b2c0c31",
"signature_type": "Function",
"target": {
"file": "src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java",
"function": "processStyleTag"
},
"signature_version": "v1",
"digest": {
"function_hash": "126801159696717847423144960297568189815",
"length": 772.0
}
},
{
"deprecated": false,
"source": "https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae",
"id": "CVE-2022-28367-25aaeafe",
"signature_type": "Line",
"target": {
"file": "src/test/java/org/owasp/validator/html/test/TestPolicy.java"
},
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"102395914133567038206162999411433682008",
"172884204425066366557287973775564351161",
"69891993284936710533120018776222880680",
"101875443924565134781607355773096569819"
]
}
},
{
"deprecated": false,
"source": "https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae",
"id": "CVE-2022-28367-7e6bb515",
"signature_type": "Line",
"target": {
"file": "src/main/java/org/owasp/validator/html/scan/AntiSamyDOMScanner.java"
},
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"136642796337683393202179711700642177900",
"128870773222262935459506770502729513736",
"53317207876928769004406313497214808576",
"229860542803382738460268100061225296529",
"191271951501702959750778219281103334850",
"214735603198293884394947938323229844290",
"313136713396010417509642112145256498856",
"253651523449955296939612244815053890059",
"317205302213306631323288053769021199559",
"293952431329732310555540089749725023644",
"18300821776322308221142286789123141730",
"175784914226008108155297247775601230154",
"232125387965580752414898968674125482203"
]
}
},
{
"deprecated": false,
"source": "https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae",
"id": "CVE-2022-28367-a7cd8a4c",
"signature_type": "Function",
"target": {
"file": "src/test/java/org/owasp/validator/html/test/TestPolicy.java",
"function": "TestPolicy"
},
"signature_version": "v1",
"digest": {
"function_hash": "159741469509703674260809042637878075557",
"length": 69.0
}
},
{
"deprecated": false,
"source": "https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae",
"id": "CVE-2022-28367-d51b775e",
"signature_type": "Line",
"target": {
"file": "src/test/java/org/owasp/validator/html/test/AntiSamyTest.java"
},
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"87017425024504894246560502640970701778",
"245016119317914046846709556822679037632"
]
}
}
]