CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 1CVE-2022-36033 – jsoup may not sanitize Cross-Site Scripting (XSS) attempts if SafeList.preserveRelativeLinks is enabled
https://notcve.org/view.php?id=CVE-2022-36033
jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. • https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3 https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369 https://jsoup.org/news/release-1.15.3 https://security.netapp.com/advisory/ntap-20221104-0006 https://access.redhat.com/security/cve/CVE-2022-36033 https://bugzilla.redhat.com/show_bug.cgi?id=2127078 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-87: Improper Neutralization of Alternate XSS Syntax •
CVSS: 7.5EPSS: 0%CPEs: 24EXPL: 0CVE-2021-37714 – Crafted input may cause the jsoup HTML and XML parser to get stuck, timeout, or throw unchecked exceptions
https://notcve.org/view.php?id=CVE-2021-37714
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. • https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c https://jsoup.org/news/release-1.14.1 https://jsoup.org/news/release-1.14.2 https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0%40%3Cissues.maven.apache.org%3E https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e%40%3Cissues.maven.apache.org%3E https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7%40%3Cissues.maven.apache.org%3E https://lists.apa • CWE-248: Uncaught Exception CWE-400: Uncontrolled Resource Consumption CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-6748 – jsoup: XSS vulnerability related to incomplete tags at EOF
https://notcve.org/view.php?id=CVE-2015-6748
Cross-site scripting (XSS) vulnerability in jsoup before 1.8.3. Existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en jsoup en versiones anteriores a la 1.8.3. It was found that jsoup did not properly validate user-supplied HTML content; certain HTML snippets could get past the validator without being detected as unsafe. A remote attacker could use a specially crafted HTML snippet to execute arbitrary web script in the user's browser. • http://www.openwall.com/lists/oss-security/2015/08/28/5 http://www.securityfocus.com/bid/76504 https://bugzilla.redhat.com/show_bug.cgi?id=1258310 https://github.com/jhy/jsoup/pull/582 https://hibernate.atlassian.net/browse/HV-1012 https://issues.jboss.org/browse/WFLY-5223?_sscc=t https://lists.debian.org/debian-lts-announce/2020/01/msg00021.html https://access.redhat.com/security/cve/CVE-2015-6748 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •