oss-sec mailing list archives
CVE request: XSS vulnerability in jsoup related to incomplete tags at EOF
From: Florian Weimer <fweimer () redhat com>
Date: Fri, 28 Aug 2015 10:05:47 +0200
Described in this pull request by Tommy Johansen: “ We use Hibernate Validator (HV) and the @SafeHtlm annotation to validate input from users. During a security review we discovered that an unsafe XSS vector slipped by the validator. During debugging HV we discovered that the source of the problem was related to how Jsoup handled tags without a closing > when reaching EOF. ” <https://github.com/jhy/jsoup/pull/582> Additional references: <https://hibernate.atlassian.net/browse/HV-1012> <https://issues.jboss.org/browse/WFLY-5223> Would you please a CVE ID to this issue? Thanks. -- Florian Weimer / Red Hat Product Security
Current thread:
- CVE request: XSS vulnerability in jsoup related to incomplete tags at EOF Florian Weimer (Aug 28)
- Re: CVE request: XSS vulnerability in jsoup related to incomplete tags at EOF cve-assign (Aug 28)