org.owasp.esapi:esapi@2.5.3.1 vulnerabilities

latest version

2.5.3.1
first published

14 years ago
latest version published

6 months ago
licenses detected
- BSD-2-Clause
  [2.0_rc10,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.owasp.esapi:esapi package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Cross-site Scripting (XSS) org.owasp.esapi:esapi is an OWASP project to create simple strong security controls for every web platform. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the `Validator.isValidSafeHTML` method. This might result in false negatives where it reports some input as safe, even if they are not, thus continuing using them without further validation, resulting in a persisting vulnerability. Notes: This is only exploitable if the `Validator.isValidSafeHTML` method is used. `Validator.getValidSafeHTML` is believed to be safe to use with the default `antisamy-esapi.xml` `AntiSamy` policy file. The vulnerable method was deprecated in 2.5.3.0 How to fix Cross-site Scripting (XSS)? There is no fixed version for `org.owasp.esapi:esapi`.	[0,)
H Denial of Service (DoS) org.owasp.esapi:esapi is an OWASP project to create simple strong security controls for every web platform. Affected versions of this package are vulnerable to Denial of Service (DoS) in the `HTTPUtilities.getFileUploads` and `ESAPIWebApplicationFirewallFilter` methods, by uploading large numbers of files in a single upload or in a series of uploads. Note: If you are using any of the `HTTPUtilities.getFileUploads` methods, you are potentially affected. Upgrading to version 2.5.2.0 addresses the issue described in CVE-2023-24998 but to be fully protected the maintainer recommends taking additional prevention steps as described below. How to fix Denial of Service (DoS)? There is no fixed version for `org.owasp.esapi:esapi`.	[0,)

Cross-site Scripting (XSS)

org.owasp.esapi:esapi is an OWASP project to create simple strong security controls for every web platform.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the Validator.isValidSafeHTML method. This might result in false negatives where it reports some input as safe, even if they are not, thus continuing using them without further validation, resulting in a persisting vulnerability.

Notes:

This is only exploitable if the Validator.isValidSafeHTML method is used.
Validator.getValidSafeHTML is believed to be safe to use with the default antisamy-esapi.xml AntiSamy policy file.
The vulnerable method was deprecated in 2.5.3.0

How to fix Cross-site Scripting (XSS)?

There is no fixed version for org.owasp.esapi:esapi.

[0,)

Denial of Service (DoS)

org.owasp.esapi:esapi is an OWASP project to create simple strong security controls for every web platform.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the HTTPUtilities.getFileUploads and ESAPIWebApplicationFirewallFilter methods, by uploading large numbers of files in a single upload or in a series of uploads.

Note:

If you are using any of the HTTPUtilities.getFileUploads methods, you are potentially affected.

Upgrading to version 2.5.2.0 addresses the issue described in CVE-2023-24998 but to be fully protected the maintainer recommends taking additional prevention steps as described below.

How to fix Denial of Service (DoS)?

There is no fixed version for org.owasp.esapi:esapi.

[0,)

Go back to all versions of this package

org.owasp.esapi:esapi@2.5.3.1 vulnerabilities

latest version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities