A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.hibernate.validator:hibernate-validator(Maven) | 0 | 6.2.0.Final | N/A |
| org.hibernate:hibernate-validator(Maven) | 0 | 6.2.0.Final | N/A |
CVSS Metrics
