Description
OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of : to construct a javascript: URL.
Remediation
References
https://github.com/nahsra/antisamy/issues/10
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/105656
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com//security-alerts/cpujul2021.html
Related Vulnerabilities
CVE-2022-39350 Vulnerability in npm package @dependencytrack/frontend
CVE-2022-36884 Vulnerability in maven package org.jenkins-ci.plugins:git
CVE-2017-9735 Vulnerability in maven package org.eclipse.jetty:jetty-util
CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa-drill