DescriptionOWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libowasp-antisamy-java (PTS)buster1.5.3+dfsg-1fixed
bookworm, sid, bullseye1.5.3+dfsg-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libowasp-antisamy-javasource(unstable)(not affected)


- libowasp-antisamy-java <not-affected> (Incomplete fix for CVE-2022-28367 not applied) (v1.6.7)

Search for package or bug name: Reporting problems