Home > Vulnerability Database > WS-2023-0429

Mend.io Vulnerability Database

WS-2023-0429

Good to know:

Date: August 19, 2025

The Validator.isValidSafeHTML method can result in false negatives where it reports some input as safe (i.e., returns true), but really isn't, and using that same input as-is can in certain circumstances result in XSS vulnerabilities. Because this method cannot be fixed, it is being deprecated and will be removed in one years time from when this advisory is published. Note that all versions of ESAPI, that have this method (which dates back to at least the ESAPI 1.3 release more than 15 years ago) have this issue and it will continue to exist until these two methods are removed in a future ESAPI release.

Language: Java

Severity Score

6.1

Related Resources (8)

Url: https://github.com/advisories/GHSA-r68h-jhhj-9jvm

Url: https://github.com/go-jose/go-jose/commit/a3d307244c3bc50b25a71aa0688764c32ec419c7

Url: https://github.com/go-jose/go-jose/issues/64

Url: https://github.com/go-jose/go-jose/commit/65351c27657d58960c2e6c9fbb2b00f818e50568

Url: https://github.com/go-jose/go-jose

Url: https://github.com/ESAPI/esapi-java-legacy

Url: https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm

Url: https://www.mend.io/vulnerability-database/WS-2023-0429

Severity Score

6.1

Weakness Type (CWE)

Uncontrolled Resource Consumption

CWE-400

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-80

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

WS-2023-0429

Good to know:

Date: August 19, 2025

Language: Java

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?