CVE-2025-5878

CVE-2025-5878 affects the ESAPI Java legacy library, specifically the Encoder.encodeForSQL function in the SQL Injection Defense. The vulnerability arises from improper neutralization of special elements, enabling a remote attacker to exploit SQL injection. Public proof-of-concept exploits exist....

CVE-2025-5878 ESAPI esapi-java-legacy SQL Injection Defense Encoder.encodeForSQL special element

A vulnerability was found in ESAPI esapi-java-legacy and classified as problematic. This issue affects the interface Encoder.encodeForSQL of the SQL Injection Defense. An attack leads to an improper neutralization of special elements. The attack may be initiated remotely and an exploit has been...

OWASP ESAPI 安全漏洞

OWASP ESAPI is a free, open source, Web application security control library from the OWASP Foundation in the United States that makes it easier for programmers to write lower-risk applications. A security vulnerability exists in OWASP ESAPI that stems from improper neutralization of special...

PT-2025-27359

Name of the Vulnerable Software and Affected Versions: ESAPI esapi-java-legacy versions prior to 2.7.0.0 Description: A vulnerability was found in the interface Encoder.encodeForSQL of the SQL Injection Defense, leading to an improper neutralization of special elements. The attack may be initiate...

CVE-2022-24891

ESAPI The OWASP Enterprise Security API is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the antisamy-esapi.xml configurati...

Linux Distros Unpatched Vulnerability : CVE-2022-24891

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ESAPI The OWASP Enterprise Security API is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a...

Linux Distros Unpatched Vulnerability : CVE-2022-23457

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ESAPI The OWASP Enterprise Security API is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation o...

CVE-2022-23457

ESAPI The OWASP Enterprise Security API is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of Validator.getValidDirectoryPathString, String, File, boolean may incorrectly treat the tested input string as a child of the specified...

Security Bulletin: Cross-Site scripting vulnerability in ESAPI may affect IBM Business Automation Workflow - IBM X-Force ID: 273485

Summary IBM Business Automation Workflow is vulnerable to a Cross-Site scripting attack. Vulnerability Details IBM X-Force ID: 273485 DESCRIPTION: Enterprise Security API for Java is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the...

Security Bulletin: IBM Sterling B2B Integrator is vulnerable to information disclosure due to OWASP ESAPI (CVE-2010-3300)

Summary IBM Sterling B2B Integrator uses OWASP ESAPI. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2010-3300 DESCRIPTION: OWASP ESAPI for Java could allow a remote attacker to obtain sensitive information, caused by a padding oracle...

Cross Site Scripting (XSS)

org.owasp.esapi:esapi is vulnerable to Cross-site Scripting XSS. The Validator.isValidSafeHTML method, which is responsible for determining whether user-supplied input is safe to include in HTML content, exhibits a flaw that can lead to false negatives. This means that the method may incorrectly...

Validator.isValidSafeHTML is being deprecated and will be deleted from org.owasp.esapi:esapi in 1 year

Impact The Validator.isValidSafeHTML method can result in false negatives where it reports some input as safe i.e., returns true, but really isn't, and using that same input as-is can in certain circumstances result in XSS vulnerabilities. Because this method cannot be fixed, it is being deprecat...

GHSA-R68H-JHHJ-9JVM Validator.isValidSafeHTML is being deprecated and will be deleted from org.owasp.esapi:esapi in 1 year

Impact The Validator.isValidSafeHTML method can result in false negatives where it reports some input as safe i.e., returns true, but really isn't, and using that same input as-is can in certain circumstances result in XSS vulnerabilities. Because this method cannot be fixed, it is being deprecat...

cloud.genesys:web-messaging-sdk (>=3.0.0 <=5.0.0), cn.acooly:acooly-auth-wechat-authenticator (=5.2.1) +557 more potentially affected by unknown CVE via org.owasp.esapi:esapi (>=2.0GA <=2.5.5.0)

org.owasp.esapi:esapi MAVEN version =2.0GA, =3.0.0, =5.0.0 - cn.acooly:acooly-auth-wechat-authenticator =5.2.1 - cn.dceast.platform:platform-security-starter =2.2.3 - com.acooly:acooly-component-account =5.2.1 - com.acooly:acooly-component-app =5.2.1 - com.acooly:acooly-component-assetmgmt =5.2.1...

PT-2023-33058 · Esapi · Esapi

Name of the Vulnerable Software and Affected Versions: ESAPI versions 1.3 through 2.5.x Description: The Validator.isValidSafeHTML method can result in false negatives, reporting some input as safe when it is not, potentially leading to XSS vulnerabilities. This issue affects all versions of ESAP...

DoS vulnerabilities persist in ESAPI file uploads despite remediation of CVE-2023-24998

Impact ESAPI 2.5.2.0 and later addressed the DoS vulnerability described in CVE-2023-24998, which Apache Commons FileUpload 1.5 attempted to remediate. But while writing up a new security bulletin regarding the impact on the affected ESAPI HTTPUtilities.getFileUploads methods or more specifically...

cloud.genesys:web-messaging-sdk (>=3.0.0 <=5.0.0), cn.acooly:acooly-auth-wechat-authenticator (=5.2.1) +530 more potentially affected by unknown CVE via org.owasp.esapi:esapi (>=2.0GA <=2.5.1.0)

org.owasp.esapi:esapi MAVEN version =2.0GA, =3.0.0, =5.0.0 - cn.acooly:acooly-auth-wechat-authenticator =5.2.1 - cn.dceast.platform:platform-security-starter =2.2.3 - com.acooly:acooly-component-account =5.2.1 - com.acooly:acooly-component-app =5.2.1 - com.acooly:acooly-component-assetmgmt =5.2.1...

GHSA-7C2Q-5QMR-V76Q DoS vulnerabilities persist in ESAPI file uploads despite remediation of CVE-2023-24998

Impact ESAPI 2.5.2.0 and later addressed the DoS vulnerability described in CVE-2023-24998, which Apache Commons FileUpload 1.5 attempted to remediate. But while writing up a new security bulletin regarding the impact on the affected ESAPI HTTPUtilities.getFileUploads methods or more specifically...

K000135854: ESAPI (The OWASP Enterprise Security API) vulnerability CVE-2022-23457

Security Advisory Description ESAPI The OWASP Enterprise Security API is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of Validator.getValidDirectoryPathString, String, File, boolean may incorrectly treat the tested input strin...

Security Bulletin: B2B API of IBM Sterling B2B Integrator vulnerable to security bypass due to OWASP ESAPI (CVE-2013-5960)

Summary IBM Sterling B2B Integrator has addressed the vulnerability in OWASP ESAPI in B2B API Vulnerability Details CVEID:CVE-2013-5960 DESCRIPTION: OWASP ESAPI could allow a remote attacker to bypass security restrictions, caused by the failure to properly resist tampering with serialized...