CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 1CVE-2021-42575 – owasp-java-html-sanitizer: improper policies enforcement may lead to remote code execution
https://notcve.org/view.php?id=CVE-2021-42575
18 Oct 2021 — The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements. OWASP Java HTML Sanitizer versiones anteriores a 20211018.1, no aplica apropiadamente las políticas asociadas a los elementos SELECT, STYLE y OPTION • https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-28490
https://notcve.org/view.php?id=CVE-2021-28490
19 Aug 2021 — In OWASP CSRFGuard through 3.1.0, CSRF can occur because the CSRF cookie may be retrieved by using only a session token. En OWASP CSRFGuard versiones hasta 3.1.0, un ataque de tipo CSRF puede ocurrir porque la cookie CSRF puede ser recuperada usando sólo un token de sesión. • https://github.com/reidmefirst/vuln-disclosure/blob/main/2021-01.txt • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0CVE-2010-3300
https://notcve.org/view.php?id=CVE-2010-3300
22 Jun 2021 — It was found that all OWASP ESAPI for Java up to version 2.0 RC2 are vulnerable to padding oracle attacks. Se ha detectado que todos los OWASP ESAPI para Java hasta versión 2.0 RC2, son vulnerables a ataques de tipo padding oracle • https://seclists.org/oss-sec/2010/q3/357 • CWE-649: Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23900
https://notcve.org/view.php?id=CVE-2021-23900
13 Jan 2021 — OWASP json-sanitizer before 1.2.2 can output invalid JSON or throw an undeclared exception for crafted input. This may lead to denial of service if the application is not prepared to handle these situations. OWASP json-sanitizer versiones anteriores a 1.2.2, puede generar JSON no válido o lanzar una excepción no declarada para una entrada diseñada. Esto puede conllevar a una denegación del servicio si la aplicación no está preparada para manejar estas situaciones. • https://github.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23899
https://notcve.org/view.php?id=CVE-2021-23899
13 Jan 2021 — OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents. OWASP json-sanitizer versiones anteriores a 1.2.2, puede emitir etiquetas SCRIPT de cierre y delimitadores de sección CDATA para una entrada diseñada. Esto permite a un atacante inyectar HTML o XML arbitrario en documentos insertados • https://github.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2020-13973
https://notcve.org/view.php?id=CVE-2020-13973
09 Jun 2020 — OWASP json-sanitizer before 1.2.1 allows XSS. An attacker who controls a substring of the input JSON, and controls another substring adjacent to a SCRIPT element in which the output is embedded as JavaScript, may be able to confuse the HTML parser as to where the SCRIPT element ends, and cause non-script content to be interpreted as JavaScript. OWASP json-sanitizer versiones anteriores a 1.2.1, permite un ataque de tipo XSS. Un atacante que controla una subcadena de la entrada JSON y controla otra subcadena... • https://github.com/epicosy/json-sanitizer • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1020007
https://notcve.org/view.php?id=CVE-2019-1020007
29 Jul 2019 — Dependency-Track before 3.5.1 allows XSS. Dependency-Track anterior a versión 3.5.1, permite un ataque de tipo XSS. • https://github.com/DependencyTrack/dependency-track/security/advisories/GHSA-jp9v-w6vw-9m5v • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2018-16384
https://notcve.org/view.php?id=CVE-2018-16384
03 Sep 2018 — A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a is a special function name (such as "if") and b is the SQL statement to be executed. Existe una omisión de inyección SQL (también conocida como PL1 bypass) en OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) hasta la versión v3.1.0-rc3 mediante {`a`b}, donde "a" es un nombre de función especial (como "if") y "b" es la instrucción SQL que se debe ejecutar. • https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1167 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-12036
https://notcve.org/view.php?id=CVE-2018-12036
07 Jun 2018 — OWASP Dependency-Check before 3.2.0 allows attackers to write to arbitrary files via a crafted archive that holds directory traversal filenames. OWASP Dependency-Check en versiones anteriores a la 3.2.0 permite que los atacantes escriban en archivos arbitrarios mediante un archivo manipulado que tiene nombres de archivo de salto de directorio. • https://github.com/jeremylong/DependencyCheck/blob/master/RELEASE_NOTES.md#version-320-2018-05-21 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-123: Write-what-where Condition •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 2CVE-2013-5960
https://notcve.org/view.php?id=CVE-2013-5960
30 Sep 2013 — The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679. La característica de cifrado autenticado en la implementación de cifrado ... • http://code.google.com/p/owasp-esapi-java/issues/detail?id=306 • CWE-310: Cryptographic Issues •