GHSA-m8p2-495h-ccmh

Source

https://github.com/advisories/GHSA-m8p2-495h-ccmh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-m8p2-495h-ccmh/GHSA-m8p2-495h-ccmh.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-m8p2-495h-ccmh

Aliases

CVE-2019-10219

Published

2020-01-08T17:01:52Z

Modified

2025-08-11T16:50:26.700674Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

The SafeHtml annotation in Hibernate-Validator does not properly guard against XSS attacks

Details

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2020-01-08T17:00:14Z",
    "nvd_published_at": "2019-11-08T15:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE"
}

References

Affected packages

Maven / org.hibernate.validator:hibernate-validator

Package

Name: org.hibernate.validator:hibernate-validator; View open source insights on deps.dev
Purl: pkg:maven/org.hibernate.validator/hibernate-validator

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0.Alpha1

Fixed

6.1.0.Alpha6

Affected versions

6.*

6.1.0.Alpha1

6.1.0.Alpha2

6.1.0.Alpha3

6.1.0.Alpha4

6.1.0.Alpha5

Maven / org.hibernate.validator:hibernate-validator

Package

Name: org.hibernate.validator:hibernate-validator; View open source insights on deps.dev
Purl: pkg:maven/org.hibernate.validator/hibernate-validator

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0.Alpha1

Fixed

6.0.18.Final

Affected versions

6.*

6.0.0.Alpha1

6.0.0.Alpha2

6.0.0.Beta1

6.0.0.Beta2

6.0.0.CR1

6.0.0.CR2

6.0.0.CR3

6.0.0.Final

6.0.1.Final

6.0.2.Final

6.0.3.Final

6.0.4.Final

6.0.5.Final

6.0.6.Final

6.0.7.Final

6.0.8.Final

6.0.9.Final

6.0.10.Final

6.0.11.Final

6.0.12.Final

6.0.13.Final

6.0.14.Final

6.0.15.Final

6.0.16.Final

6.0.17.Final

Database specific

{
    "last_known_affected_version_range": "<= 6.0.17.Final"
}