Date: Fri, 28 Aug 2015 10:05:47 +0200 From: Florian Weimer <fweimer@...hat.com> To: Assign a CVE Identifier <cve-assign@...re.org> Cc: oss-security@...ts.openwall.com Subject: CVE request: XSS vulnerability in jsoup related to incomplete tags at EOF Described in this pull request by Tommy Johansen: “ We use Hibernate Validator (HV) and the @SafeHtlm annotation to validate input from users. During a security review we discovered that an unsafe XSS vector slipped by the validator. During debugging HV we discovered that the source of the problem was related to how Jsoup handled tags without a closing > when reaching EOF. ” <https://github.com/jhy/jsoup/pull/582> Additional references: <https://hibernate.atlassian.net/browse/HV-1012> <https://issues.jboss.org/browse/WFLY-5223> Would you please a CVE ID to this issue? Thanks. -- Florian Weimer / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.