HTML Injection Vulnerability in Hibernate Validator

CVE-2023-1932

6.1MEDIUM

Key Information

Vendor: Red Hat
Status: A-MQ Clients 2; Cryostat 2; Red Hat AMQ Broker 7; Red Hat A-MQ Online
Vendor: CVE Published:; 7 November 2024

Summary

A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.

References

https://access.redhat.com/security/cve/CVE-2023-1932

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=1809444

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 7, 2024
Vulnerability Reserved
Apr 6, 2023

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Christian Kistner (SySS GmbH) and Moritz Bechler (SySS GmbH) for reporting this issue.