WS-2023-0429
December 07, 2024
The Validator.isValidSafeHTML method can result in false negatives where it reports some input as safe (i.e., returns true), but really isn't, and using that same input as-is can in certain circumstances result in XSS vulnerabilities. Because this method cannot be fixed, it is being deprecated and will be removed in one years time from when this advisory is published.
Note that all versions of ESAPI, that have this method (which dates back to at least the ESAPI 1.3 release more than 15 years ago) have this issue and it will continue to exist until these two methods are removed in a future ESAPI release.
Affected Packages
org.owasp.esapi:esapi (JAVA):
Affected version(s) =2.0GA <2.0_rc9Fix Suggestion:
Update to version 2.0_rc9org.owasp.esapi:esapi (JAVA):
Affected version(s) >=2.0.1 <2.6.0.0Fix Suggestion:
Update to version 2.6.0.0org.apache.servicemix.bundles:org.apache.servicemix.bundles.esapi (JAVA):
Affected version(s) >=2.0GA_1 <=2.5.1.0_1Fix Suggestion:
Update to version no_fixflash20/yii2-adminh-asset (PHP):
Affected version(s) >=dev-master <=0.0.3Fix Suggestion:
Update to version no_fixlizetheb1920/high-chart (PHP):
Affected version(s) =dev-masterFix Suggestion:
Update to version no_fixRelated Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Uncontrolled Resource Consumption
