CVE-2022-36033 in FLEXCUBE Enterprise Limits and Collateral Managementinfo

Summary

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Responsible

GitHub, Inc.

Reservation

07/15/2022

Disclosure

08/29/2022

Status

Confirmed

Entries

VulDB provides additional information and datapoints for this CVE:

IDVulnerabilityCWEExpCouCVE
251152Oracle FLEXCUBE Enterprise Limits and Collateral Management Infrastructure cross site scripting79Not definedOfficial fixCVE-2022-36033
251149Oracle Financial Services Lending and Leasing Internal Operations cross site scripting79Not definedOfficial fixCVE-2022-36033
251148Oracle Banking Virtual Account Management Common Core cross site scripting79Not definedOfficial fixCVE-2022-36033
251147Oracle Banking Electronic Data Exchange for Corporates Reports cross site scripting79Not definedOfficial fixCVE-2022-36033
251146Oracle Banking Corporate Lending Process Management Base cross site scripting79Not definedOfficial fixCVE-2022-36033
251145Oracle Banking Branch Reports cross site scripting79Not definedOfficial fixCVE-2022-36033
242653Oracle Financial Services Model Management and Governance Installer cross site scripting79Not definedOfficial fixCVE-2022-36033
234829Oracle Enterprise Data Quality General cross site scripting79Not definedOfficial fixCVE-2022-36033
234772Oracle Banking Trade Finance Process Management Dashboard cross site scripting79Not definedOfficial fixCVE-2022-36033
234771Oracle Banking Supply Chain Finance Security cross site scripting79Not definedOfficial fixCVE-2022-36033
234770Oracle Banking Origination Onboarding Batch Processes cross site scripting79Not definedOfficial fixCVE-2022-36033
234769Oracle Banking Liquidity Management Common cross site scripting79Not definedOfficial fixCVE-2022-36033
234767Oracle Banking Credit Facilities Process Management Common cross site scripting79Not definedOfficial fixCVE-2022-36033
234766Oracle Banking Cash Management Accessibility cross site scripting79Not definedOfficial fixCVE-2022-36033
234488Oracle GoldenGate Stream Analytics cross site scripting79Not definedOfficial fixCVE-2022-36033
226714Oracle Retail Customer Management and Segmentation Foundation Internal Operations cross site scripting79Not definedOfficial fixCVE-2022-36033
226689Oracle PeopleSoft Enterprise PeopleTools Elastic Search cross site scripting79Not definedOfficial fixCVE-2022-36033
226564Oracle WebCenter Portal Security cross site scripting79Not definedOfficial fixCVE-2022-36033
226563Oracle Middleware Common Libraries and Tools Third Party cross site scripting79Not definedOfficial fixCVE-2022-36033
226561Oracle Business Process Management Suite Installer cross site scripting79Not definedOfficial fixCVE-2022-36033
226513Oracle FLEXCUBE Universal Banking Infrastructure cross site scripting79Not definedOfficial fixCVE-2022-36033
226494Oracle Banking Treasury Management Infrastructure cross site scripting79Not definedOfficial fixCVE-2022-36033
226493Oracle Banking Trade Finance Infrastructure cross site scripting79Not definedOfficial fixCVE-2022-36033
226492Oracle Banking Digital Experience UI General cross site scripting79Not definedOfficial fixCVE-2022-36033
226437Oracle Primavera Unifier User cross site scripting79Not definedOfficial fixCVE-2022-36033
218690Oracle Financial Services Crime and Compliance Management Studio cross site scripting79Not definedOfficial fixCVE-2022-36033
211470Oracle Communications Cloud Native Core Console Installer cross site scripting79Not definedOfficial fixCVE-2022-36033
207511jsoup javascript URL cross site scripting79Not definedOfficial fixCVE-2022-36033

Description

CPE

CWE

CVSS

Exploits

History

Diff

Relate

Threat Intelligence

API JSON

API XML

API CSV

Sources

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!