CVE-2022-36033

CVSS v2.0

9.4

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions jsoup versions prior to 1.15.3

Description The issue is related to the incorrect sanitization of HTML including javascript: URL expressions, which could allow cross-site scripting (XSS) attacks when a reader subsequently clicks that link. If the non-default SafeList.preserveRelativeLinks option is enabled, HTML including javascript: URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible.

Recommendations To resolve the issue for versions prior to 1.15.3:

Upgrade to version 1.15.3.
Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. As a temporary workaround, consider disabling the SafeList.preserveRelativeLinks option, which will rewrite input URLs as absolute URLs. Ensure an appropriate Content Security Policy is defined, which should be used regardless of upgrading, as a defence-in-depth best practice.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-87CWE-79

Related Identifiers

AZL-10740

AZL-36946

BDU:2022-05314

CVE-2022-36033

GHSA-GP7F-RWCX-9369

OESA-2024-1255

OPENSUSE-SU-2022_4011-1

OPENSUSE-SU-2024:12413-1

RHSA-2024:8075

RHSA-2024:8076

RHSA-2024:8077

SUSE-SU-2022:4011-1

SUSE-SU-2022_4011-1

Affected Products

Debian

Red Os

Suse

Jsoup

CVE-2022-36033

Weakness Enumeration

Related Identifiers

Affected Products

References · 26