OWASP AntiSamy prior to 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with : as the replacement for the : character.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
antisamy project antisamy |
||
oracle retail back office 14.0 |
||
oracle retail back office 14.1 |
||
oracle retail central office 14.0 |
||
oracle retail central office 14.1 |
||
oracle retail returns management 14.0 |
||
oracle retail returns management 14.1 |
||
oracle banking enterprise default management 2.6.2 |
||
oracle banking enterprise default management 2.7.0 |
||
oracle banking enterprise default management 2.7.1 |
||
oracle banking enterprise default management 2.10.0 |
||
oracle banking enterprise default management 2.12.0 |
||
oracle banking enterprise default managment |
||
oracle banking party management 2.7.0 |
||
oracle banking platform |
||
oracle banking platform 2.6.2 |
||
oracle banking platform 2.7.0 |
||
oracle banking platform 2.7.1 |
||
oracle insurance policy administration 11.0.2 |
||
oracle insurance policy administration 11.1.0 |
||
oracle insurance policy administration 11.2.8 |
||
oracle insurance policy administration 11.3.0 |
||
oracle insurance policy administration 11.3.1 |
||
oracle middleware common libraries and tools 12.2.1.3.0 |
||
oracle middleware common libraries and tools 12.2.1.4.0 |
||
netapp active iq unified manager - |
Vulmon