CVE-2017-14735

Description

OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of : to construct a javascript: URL.

How to fix CVE-2017-14735

To remediate CVE-2017-14735, upgrade the affected package to a fixed version below.

• Debian/libowasp-antisamy-java—no fix listed
• Maven/org.owasp.antisamy:antisamy—upgrade to 1.5.7 or later

Is CVE-2017-14735 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0
• from 0, < 1.5.7

CVSS scores

References (12)

• ADVISORYgithub.com/advisories/GHSA-q44v-xc3g-v7jq
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-14735
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-14735
• PATCHgithub.com/nahsra/antisamy
• WEB