GHSA-m8p2-495h-ccmh

Suggest an improvement
Source
https://github.com/advisories/GHSA-m8p2-495h-ccmh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-m8p2-495h-ccmh/GHSA-m8p2-495h-ccmh.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-m8p2-495h-ccmh
Aliases
Published
2020-01-08T17:01:52Z
Modified
2025-08-11T16:50:26.700674Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
The SafeHtml annotation in Hibernate-Validator does not properly guard against XSS attacks
Details

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.

Database specific
{
    "github_reviewed": true,
    "github_reviewed_at": "2020-01-08T17:00:14Z",
    "nvd_published_at": "2019-11-08T15:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE"
}
References

Affected packages

Maven / org.hibernate.validator:hibernate-validator

Package

Name
org.hibernate.validator:hibernate-validator
View open source insights on deps.dev
Purl
pkg:maven/org.hibernate.validator/hibernate-validator

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.1.0.Alpha1
Fixed
6.1.0.Alpha6

Affected versions

6.*

6.1.0.Alpha1
6.1.0.Alpha2
6.1.0.Alpha3
6.1.0.Alpha4
6.1.0.Alpha5

Maven / org.hibernate.validator:hibernate-validator

Package

Name
org.hibernate.validator:hibernate-validator
View open source insights on deps.dev
Purl
pkg:maven/org.hibernate.validator/hibernate-validator

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0.Alpha1
Fixed
6.0.18.Final

Affected versions

6.*

6.0.0.Alpha1
6.0.0.Alpha2
6.0.0.Beta1
6.0.0.Beta2
6.0.0.CR1
6.0.0.CR2
6.0.0.CR3
6.0.0.Final
6.0.1.Final
6.0.2.Final
6.0.3.Final
6.0.4.Final
6.0.5.Final
6.0.6.Final
6.0.7.Final
6.0.8.Final
6.0.9.Final
6.0.10.Final
6.0.11.Final
6.0.12.Final
6.0.13.Final
6.0.14.Final
6.0.15.Final
6.0.16.Final
6.0.17.Final

Database specific

{
    "last_known_affected_version_range": "<= 6.0.17.Final"
}