A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.
History

Sat, 23 Nov 2024 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1286

Thu, 07 Nov 2024 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 07 Nov 2024 10:15:00 +0000

Type Values Removed Values Added
Title hibernate-validator: rendering of invalid html with SafeHTML leads to HTML injection and XSS Hibernate-validator: rendering of invalid html with safehtml leads to html injection and xss
First Time appeared Redhat
Redhat a Mq Clients
Redhat amq Broker
Redhat amq Online
Redhat amq Streams
Redhat cryostat
Redhat jboss Data Grid
Redhat jboss Data Virtualization
Redhat jboss Developer Studio
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Application Platform Cd
Redhat jboss Enterprise Bpms Platform
Redhat jboss Enterprise Brms Platform
Redhat jboss Enterprise Soa Platform
Redhat jboss Fuse
Redhat jboss Fuse Service Works
Redhat jboss Operations Network
Redhat openshift Application Runtimes
Redhat openstack
Redhat red Hat Single Sign On
Redhat satellite
CPEs cpe:/a:redhat:a_mq_clients:2
cpe:/a:redhat:amq_broker:7
cpe:/a:redhat:amq_online:1
cpe:/a:redhat:amq_streams:1
cpe:/a:redhat:cryostat:2
cpe:/a:redhat:jboss_data_grid:7
cpe:/a:redhat:jboss_data_grid:8
cpe:/a:redhat:jboss_data_virtualization:6
cpe:/a:redhat:jboss_developer_studio:12.
cpe:/a:redhat:jboss_enterprise_application_platform:5
cpe:/a:redhat:jboss_enterprise_application_platform:6
cpe:/a:redhat:jboss_enterprise_application_platform:7
cpe:/a:redhat:jboss_enterprise_application_platform_cd
cpe:/a:redhat:jboss_enterprise_bpms_platform:6
cpe:/a:redhat:jboss_enterprise_bpms_platform:7
cpe:/a:redhat:jboss_enterprise_brms_platform:5
cpe:/a:redhat:jboss_enterprise_brms_platform:7
cpe:/a:redhat:jboss_enterprise_soa_platform:5
cpe:/a:redhat:jboss_fuse:6
cpe:/a:redhat:jboss_fuse:7
cpe:/a:redhat:jboss_fuse_service_works:6
cpe:/a:redhat:jboss_operations_network:3
cpe:/a:redhat:openshift_application_runtimes:1.0
cpe:/a:redhat:openstack:10
cpe:/a:redhat:openstack:13
cpe:/a:redhat:red_hat_single_sign_on:7
cpe:/a:redhat:satellite:6
Vendors & Products Redhat
Redhat a Mq Clients
Redhat amq Broker
Redhat amq Online
Redhat amq Streams
Redhat cryostat
Redhat jboss Data Grid
Redhat jboss Data Virtualization
Redhat jboss Developer Studio
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Application Platform Cd
Redhat jboss Enterprise Bpms Platform
Redhat jboss Enterprise Brms Platform
Redhat jboss Enterprise Soa Platform
Redhat jboss Fuse
Redhat jboss Fuse Service Works
Redhat jboss Operations Network
Redhat openshift Application Runtimes
Redhat openstack
Redhat red Hat Single Sign On
Redhat satellite
References

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-11-07T10:00:51.745Z

Updated: 2024-11-07T14:09:26.936Z

Reserved: 2023-04-06T20:10:01.569Z

Link: CVE-2023-1932

cve-icon Vulnrichment

Updated: 2024-11-07T14:09:22.459Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-07T10:15:04.507

Modified: 2024-11-08T19:01:03.880

Link: CVE-2023-1932

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-02-07T00:00:00Z

Links: CVE-2023-1932 - Bugzilla