ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.
AI analysis not yet available
Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.
No Fix Known
No patch has been released yet. Apply workarounds or mitigations where available.
| Vendor | Product | Versions | Fixed In |
|---|---|---|---|
| owasp | enterprise_security_api | 2.3.0.0 | - |
| oracle | weblogic_server | - |
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
8
Affected Products
11
References
owasp / enterprise_security_api
| - |
| oracle | weblogic_server | - | - |
| oracle | weblogic_server | - | - |
| netapp | active_iq_unified_manager | - | - |
| netapp | active_iq_unified_manager | - | - |
| netapp | active_iq_unified_manager | - | - |
| netapp | oncommand_workflow_automation | - | - |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Exploitability
Impact