jsoup <1.15.3 XSS via unsafe javascript: URLs (preserveRelativeLinks)
CVE-2022-36033 Published on August 29, 2022

jsoup may not sanitize Cross-Site Scripting (XSS) attempts if SafeList.preserveRelativeLinks is enabled
jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)

Github Repository NVD

Vulnerability Analysis

CVE-2022-36033 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2022-36033. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Types

Improper Neutralization of Alternate XSS Syntax

The software does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2022-36033 has been classified to as a XSS vulnerability or weakness.


Products Associated with CVE-2022-36033

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-36033 are published in these products:

Jsoup
 
NetApp Oncommand Workflow Automation
 
NetApp Management Services Element Software
 
Management Services Netapp Hci
 
Oracle
 

Affected Versions

jhy jsoup Version < 1.15.3 is affected by CVE-2022-36033

Vulnerable Packages

The following package name and versions may be associated with CVE-2022-36033

Package Manager Vulnerable Package Versions Fixed In
maven org.jsoup:jsoup < 1.15.3 1.15.3

Exploit Probability

EPSS
1.64%
Percentile
81.71%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.