HTML Injection Vulnerability in Hibernate Validator

CVE-2023-1932

6.1MEDIUM

Key Information

Vendor: Red Hat
Status: A-MQ Clients 2; Cryostat 2; Red Hat AMQ Broker 7; Red Hat A-MQ Online
Vendor: CVE Published:; 7 November 2024

Summary

A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Risk change from: null to: 6.1 - (MEDIUM)
Nov 7, 2024
Vulnerability published.
Nov 7, 2024
Vulnerability Reserved.
Apr 6, 2023
Reported to Red Hat.
Feb 27, 2020

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Christian Kistner (SySS GmbH) and Moritz Bechler (SySS GmbH) for reporting this issue.