CVE-2022-28367
Cross-site Scripting in OWASP AntiSamy
6.1
MEDIUM
CVSS 3.1
EPSS 0.20%
Description
OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.
How to fix CVE-2022-28367
To remediate CVE-2022-28367, upgrade the affected package to a fixed version below.
- Debian/libowasp-antisamy-java—no fix listed
- —upgrade to 1.6.6 or later
Is CVE-2022-28367 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0
- from 0, < 1.6.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |