jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
Published 2022-08-29 17:15:09
Updated 2022-12-08 03:48:05
Source GitHub, Inc.
View at NVD,   CVE.org
Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2022-36033

Exploit prediction scoring system (EPSS) score for CVE-2022-36033

0.11%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 43 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-36033

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
6.1
MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2.8
2.7
NIST
6.1
MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2.8
2.7
GitHub, Inc.
6.1
MEDIUM AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
N/A
N/A
Oracle:CPUOct2023

CWE ids for CVE-2022-36033

References for CVE-2022-36033

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!