HTML Injection Vulnerability in Hibernate Validator
CVE-2023-1932

6.1MEDIUM

Key Information:

Vendor: Red Hat
Status: A-MQ Clients 2; Cryostat 2; Red Hat AMQ Broker 7; Red Hat A-MQ Online
Vendor: CVE Published:; 7 November 2024

Summary

A flaw exists in the 'isValid' method within the SafeHtmlValidator class of Hibernate Validator that allows for potential HTML injection and Cross-Site Scripting (XSS) attacks. This vulnerability occurs due to the improper handling of HTML tags, specifically when tag endings are omitted in a less-than character format. Consequently, browsers may render invalid HTML, which could be exploited by attackers to inject malicious scripts, compromising the security of affected applications.

References

https://access.redhat.com/security/cve/CVE-2023-1932

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=1809444

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 7, 2024
Vulnerability Reserved
Apr 6, 2023

Credit

Red Hat would like to thank Christian Kistner (SySS GmbH) and Moritz Bechler (SySS GmbH) for reporting this issue.