CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 1CVE-2022-24891 – Cross-site Scripting in org.owasp.esapi:esapi -- antisamy-esapi.xml configuration file
https://notcve.org/view.php?id=CVE-2022-24891
27 Apr 2022 — ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the ... • https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 1CVE-2022-23457 – Path Traversal in ESAPI
https://notcve.org/view.php?id=CVE-2022-23457
25 Apr 2022 — ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0... • https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0CVE-2010-3300
https://notcve.org/view.php?id=CVE-2010-3300
22 Jun 2021 — It was found that all OWASP ESAPI for Java up to version 2.0 RC2 are vulnerable to padding oracle attacks. Se ha detectado que todos los OWASP ESAPI para Java hasta versión 2.0 RC2, son vulnerables a ataques de tipo padding oracle • https://seclists.org/oss-sec/2010/q3/357 • CWE-649: Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 2CVE-2013-5960
https://notcve.org/view.php?id=CVE-2013-5960
30 Sep 2013 — The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679. La característica de cifrado autenticado en la implementación de cifrado ... • http://code.google.com/p/owasp-esapi-java/issues/detail?id=306 • CWE-310: Cryptographic Issues •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 1CVE-2013-5679 – OWASP ESAPI Symmetric Encryption MAC Bypass
https://notcve.org/view.php?id=CVE-2013-5679
16 Sep 2013 — The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against authenticity in the default configuration, involving a null MAC and a zero MAC length. La función de cifrado-autenticado en el cifrado-simétrico implementado en OWASP Enterprise ... • http://code.google.com/p/owasp-esapi-java/issues/detail?id=306 • CWE-310: Cryptographic Issues •