CVE-2022-24891 — MEDIUM (5.4)

Q: How severe is CVE-2022-24891?

CVE-2022-24891 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-24891?

Check the references section above for vendor advisories and patch information. Affected products include: Owasp Enterprise Security Api, Oracle Weblogic Server, Netapp Active Iq Unified Manager, Netapp Oncommand Workflow Automation.

Vulnerability Description

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Owasp	Enterprise Security Api	< 2.3.0.0
Oracle	Weblogic Server	12.2.1.3.0
Netapp	Active Iq Unified Manager	-
Netapp	Oncommand Workflow Automation	-

Related Weaknesses (CWE)

CWE-79

References

https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-secuExploitMitigationThird Party Advisory
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4javaRelease Notes
https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xxThird Party Advisory
https://security.netapp.com/advisory/ntap-20230127-0014/Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-secuExploitMitigationThird Party Advisory
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4javaRelease Notes
https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xxThird Party Advisory
https://lists.debian.org/debian-lts-announce/2025/07/msg00010.html
https://security.netapp.com/advisory/ntap-20230127-0014/Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2022-24891?

CVE-2022-24891 is a vulnerability with a CVSS score of 5.4 (MEDIUM). ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in E...

How severe is CVE-2022-24891?

CVE-2022-24891 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-24891?

Check the references section above for vendor advisories and patch information. Affected products include: Owasp Enterprise Security Api, Oracle Weblogic Server, Netapp Active Iq Unified Manager, Netapp Oncommand Workflow Automation.