OWASP AntiSamy CVE-2017-14735 Cross Site Scripting Vulnerability

OWASP AntiSamy is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Versions prior to OWASP AntiSamy prior to1.5.7 are vulnerable.

Information

Bugtraq ID: 105656
Class: Input Validation Error
CVE: CVE-2017-14735

Remote: Yes
Local: No
Published: Sep 25 2017 12:00AM
Updated: Jul 17 2019 07:00AM
Credit: Raj Veerappan
Vulnerable: Oracle WebCenter Sites 11.1.1 8.0
Oracle Retail Returns Management 14.1
Oracle Retail Returns Management 14.0
Oracle Retail Returns Management 13.4
Oracle Retail Returns Management 13.3
Oracle Retail Central Office 14.1
Oracle Retail Central Office 14.0
Oracle Retail Central Office 13.4
Oracle Retail Central Office 13.3
Oracle Retail Back Office 14.1
Oracle Retail Back Office 14.0
Oracle Retail Back Office 13.4
Oracle Retail Back Office 13.3
Oracle Insurance Policy Administration J2EE 10.2
Oracle Insurance Policy Administration J2EE 10.0
Oracle Insurance Calculation Engine 9.7
Oracle Insurance Calculation Engine 10.2
Oracle Insurance Calculation Engine 10.1
Oracle Insurance Calculation Engine 10.0
Oracle Fusion Middleware MapViewer 12.2.1.3.0
Oracle Fusion Middleware MapViewer 12.1.3.0
Oracle FLEXCUBE Core Banking 11.8
Oracle FLEXCUBE Core Banking 11.7
Oracle FLEXCUBE Core Banking 11.6
Oracle FLEXCUBE Core Banking 5.2
Oracle Banking Platform 2.6.1
Oracle Banking Platform 2.6
Oracle Banking Platform 2.5.0
Oracle Agile PLM 9.3.5
Oracle Agile PLM 9.3.4
Antisamy Project Antisamy 1.5.6
Antisamy Project Antisamy 1.5.4
Antisamy Project Antisamy 1.5.3
Antisamy Project Antisamy 1.5.1
Antisamy Project Antisamy 1.4.4

Not Vulnerable: Antisamy Project Antisamy 1.5.7

Exploit

An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI.

References:

• [owasp-antisamy] AntiSamy 1.5.7 released (OWASP)
  
• Support HTML5 #10 (Nahsra)
  
• Merging 1.5.7 (#16) (Nahsra)
  
• Oracle Critical Patch Update Advisory - January 2019 (Oracle)
  
• Oracle Critical Patch Update Advisory - July 2019 (Oracle)
  
• Oracle Critical Patch Update Advisory - October 2018 (Oracle)
  
• OWASP AntiSamy Homepage (OWASP)
  

Source: www.securityfocus.com