CVE-2023-43643
published 2023-10-09CVE-2023-43643: AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to version 1.7.4, there is a potential for a…
PriorityP426medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.48%
37.6th percentile
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to version 1.7.4, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file and also allow for certain tags at the same time. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. This issue has been patched in AntiSamy 1.7.4 and later.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| antisamy_project | antisamy | < 1.7.4 | 1.7.4 |
| debian | libowasp-antisamy-java | < libowasp-antisamy-java 1.7.4-1 (forky) | libowasp-antisamy-java 1.7.4-1 (forky) |
| nahsra | antisamy | <= 1.7.3 | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_oracle6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
mXSS in AntiSamy
osv·2023-10-09
CVE-2023-43643 [MEDIUM] mXSS in AntiSamy
mXSS in AntiSamy
# Impact
There is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file and also allow for certain tags at the same time. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output.
# Patches
Patched in AntiSamy 1.7.4 and later. See important remediation details in the reference given below.
# Workarounds
If you cannot upgrade to a fixed version of the library, the following mitigation can be applied until you can upgrade: Manually edit your AntiSamy policy file (e.g., antisamy.xml) by deleting the `preserveComments`
GHSA
mXSS in AntiSamy
ghsa·2023-10-09
CVE-2023-43643 [MEDIUM] CWE-79 mXSS in AntiSamy
mXSS in AntiSamy
# Impact
There is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file and also allow for certain tags at the same time. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output.
# Patches
Patched in AntiSamy 1.7.4 and later. See important remediation details in the reference given below.
# Workarounds
If you cannot upgrade to a fixed version of the library, the following mitigation can be applied until you can upgrade: Manually edit your AntiSamy policy file (e.g., antisamy.xml) by deleting the `preserveComments`
OSV
CVE-2023-43643: AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources
osv·2023-10-09·CVSS 6.1
CVE-2023-43643 [MEDIUM] CVE-2023-43643: AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to version 1.7.4, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file and also allow for certain tags at the same time. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. This issue has been patched in AntiSamy 1.7.4 and later.
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (AntiSamy) — CVE-2023-43643
vendor_oracle·2024-01-15·CVSS 6.1
CVE-2023-43643 [MEDIUM] Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (AntiSamy) — CVE-2023-43643
Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (AntiSamy) vulnerability
CVE: CVE-2023-43643
CVSS: 6.1
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2024 (JAN 2024)
Debian
CVE-2023-43643: libowasp-antisamy-java - AntiSamy is a library for performing fast, configurable cleansing of HTML coming...
vendor_debian·2023·CVSS 6.1
CVE-2023-43643 [MEDIUM] CVE-2023-43643: libowasp-antisamy-java - AntiSamy is a library for performing fast, configurable cleansing of HTML coming...
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to version 1.7.4, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file and also allow for certain tags at the same time. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. This issue has been patched in AntiSamy 1.7.4 and later.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 1.7.4-1)
sid: resolved (fixed in 1.7.4-1)
trixie: resolved (fixed in 1.7.4-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-10-09
Published