Users of com.mikesamuel:json-sanitizer should upgrade to version 1.2.1 or later.

41 views
Skip to first unread message

Mike Samuel

unread,
Jun 9, 2020, 2:44:59 PM6/9/20
to json-sanitizer-support

A bug in com.mikesamuel:json-sanitizer:1.2.0 and prior allows an attacker who controls the content of a JSON string that is later embedded in an HTML <script> element to confuse the HTML parser as to where the <script> element ends. If the attacker also controls other content, e.g. a string of non-JavaScript content adjacent to the <script> element, this can lead to arbitrary JavaScript execution.


See #20 (comment) for details.


CVE-2020-13973



https://github.com/OWASP/json-sanitizer/releases/tag/v1.2.1
Reply all
Reply to author
Forward
0 new messages