Описание
jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including javascript: URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default SafeList.preserveRelativeLinks option is enabled, HTML including javascript: URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable SafeList.preserveRelativeLinks, which will rewrite input URLs as absolute URLs - ensure an appropriate Content Security Policy is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
A flaw was found in jsoup, a Java HTML parser built for HTML editing, cleaning, scraping, and Cross-site scripting (XSS) safety. An issue in jsoup may incorrectly sanitize HTML, including javascript: URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default SafeList.preserveRelativeLinks option is enabled, HTML, including javascript: URLs crafted with control characters, will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is possible.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| AMQ Clients | org.jsoup/jsoup | Not affected | ||
| A-MQ Clients 2 | org.jsoup/jsoup | Will not fix | ||
| Cryostat 3 | org.jsoup/jsoup | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | org.jsoup/jsoup | Affected | ||
| Migration Toolkit for Applications 6 | org.jsoup/jsoup | Will not fix | ||
| OpenShift Serverless | org.jsoup/jsoup | Not affected | ||
| Red Hat AMQ Broker 7 | org.jsoup/jsoup | Not affected | ||
| Red Hat build of Apache Camel 4 for Quarkus 3 | org.jsoup/jsoup | Will not fix | ||
| Red Hat build of Apache Camel for Spring Boot 3 | org.jsoup/jsoup | Affected | ||
| Red Hat build of Apache Camel for Spring Boot 4 | org.jsoup/jsoup | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
6.1 Medium
CVSS3
Связанные уязвимости
jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/We...
jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/H
jsoup is a Java HTML parser, built for HTML editing, cleaning, scrapin ...
jsoup may not sanitize code injection XSS attempts if SafeList.preserveRelativeLinks is enabled
EPSS
6.1 Medium
CVSS3