CVE-2022-28367

Name	CVE-2022-28367
Description	OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs	1010154

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libowasp-antisamy-java (PTS)	buster	1.5.3+dfsg-1	vulnerable
	bookworm, bullseye, sid	1.5.3+dfsg-1.1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
libowasp-antisamy-java	source	(unstable)	(unfixed)			1010154

Notes

[bullseye] - libowasp-antisamy-java <no-dsa> (Minor issue)
[buster] - libowasp-antisamy-java <no-dsa> (Minor issue)
[stretch] - libowasp-antisamy-java <no-dsa> (Minor issue)
https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae (v1.6.6)
Make sure to fix the issue completely and include the commit otherwise opening CVE-2022-29577
https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0 (v1.6.7)