MidnightBSD

Advisories for jsoup

CVE-2015-6748 MEDIUM

Cross-site scripting (XSS) vulnerability in jsoup before 1.8.3.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
debian debian_linux 8.0
jsoup jsoup *
CVE-2021-37714 MEDIUM

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-248,CWE-835,CWE-835,

Products Affected

Vendor Product Version
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0
oracle banking_treasury_management 14.5
oracle communications_messaging_server 8.1
oracle hospitality_token_proxy_service 19.2
oracle banking_trade_finance 14.5
oracle flexcube_universal_banking 14.5
oracle middleware_common_libraries_and_tools 12.2.1.4.0
oracle primavera_unifier 20.12
oracle webcenter_portal 12.2.1.3.0
oracle retail_customer_management_and_segmentation_foundation *
oracle business_process_management_suite 12.2.1.4.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle stream_analytics *
oracle primavera_unifier 21.12
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0
oracle middleware_common_libraries_and_tools 12.2.1.3.0
jsoup jsoup *
oracle business_process_management_suite 12.2.1.3.0
oracle peoplesoft_enterprise_peopletools 8.59
quarkus quarkus *
netapp management_services_for_element_software_and_netapp_hci -
oracle stream_analytics 19c
oracle webcenter_portal 12.2.1.4.0
oracle flexcube_universal_banking *
CVE-2022-36033

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)

Products Affected

Vendor Product Version
netapp management_services_for_netapp_hci -
netapp management_services_for_element_software -
jsoup jsoup *
netapp oncommand_workflow_automation -