CVE-2022-24891 is a medium-severity cross-site scripting (XSS) vulnerability identified in the ESAPI (Enterprise Security API) esapi-java-legacy library, specifically in versions up to and including 2.2.3.1. ESAPI is an open-source security control library widely used to enhance web application security by providing standardized security functions. The vulnerability arises from an improper neutralization of input during web page generation (CWE-79), caused by an incorrect regular expression pattern for the "onsiteURL" parameter in the antisamy-esapi.xml configuration file. This misconfiguration allows "javascript:" URLs to bypass sanitization checks, enabling malicious script injection. An attacker exploiting this flaw can inject arbitrary JavaScript code into web pages that utilize the vulnerable ESAPI version, potentially leading to session hijacking, credential theft, or other client-side attacks. The issue was patched in ESAPI version 2.3.0.0. Until upgrading, a manual workaround involves editing the antisamy-esapi.xml file to correct the "onsiteURL" regular expression to properly sanitize JavaScript URLs. No known exploits have been reported in the wild, but the vulnerability presents a significant risk to applications relying on the affected ESAPI versions for input sanitization and output encoding.

For European organizations, the impact of this vulnerability can be significant, especially for those developing or maintaining web applications that incorporate the ESAPI esapi-java-legacy library versions prior to 2.3.0.0. Successful exploitation could lead to client-side code execution, enabling attackers to steal sensitive user information such as authentication tokens, personal data, or perform unauthorized actions on behalf of users. This undermines confidentiality and integrity of user sessions and data. The vulnerability primarily affects the availability of trust in the affected web applications, as users may be exposed to phishing or drive-by attacks. Sectors with high reliance on Java-based web applications, including financial services, government portals, and critical infrastructure providers, may face reputational damage and regulatory consequences under GDPR if user data is compromised. Although no active exploits are known, the ease of exploitation through crafted URLs and the widespread use of ESAPI in enterprise Java applications elevate the risk profile for European organizations that have not yet patched or mitigated this issue.

1. Immediate upgrade to ESAPI version 2.3.0.0 or later, which contains the official patch correcting the regular expression for "onsiteURL" and properly sanitizes JavaScript URLs. 2. If upgrading is not immediately feasible, manually edit the antisamy-esapi.xml configuration file to correct the "onsiteURL" regular expression pattern to disallow "javascript:" schemes. This requires careful validation against the official ESAPI security bulletin to ensure the regex is correctly implemented. 3. Conduct a thorough code audit of all web applications using ESAPI to identify usage of the vulnerable antisamy-esapi.xml configuration and ensure no other input sanitization bypasses exist. 4. Implement Content Security Policy (CSP) headers to restrict execution of inline scripts and untrusted sources, mitigating the impact of potential XSS attacks. 5. Enhance logging and monitoring to detect anomalous URL patterns or script injection attempts targeting web applications using ESAPI. 6. Educate developers and security teams on secure coding practices related to input validation and output encoding, emphasizing the importance of keeping third-party libraries up to date.