CVE-2023-43643Cross-site Scripting in Project Antisamy

CWE-79Cross-site Scripting7 documents6 sources
Severity
6.1MEDIUMNVD
EPSS
0.5%
top 35.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Antisamy Project AntisamyNahsra Antisamy
Timeline
PublishedOct 9
Latest updateJan 15

Description

AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to version 1.7.4, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file and also allow for certain tags at the same time. As a result, certain crafty inputs can result in elements in comment tags being interpret

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5nahsra/antisamy1.7.3

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
mXSS in AntiSamy2023-10-09
GHSA
mXSS in AntiSamy2023-10-09
CVEList
mXSS in AntiSamy2023-10-09
OSV
CVE-2023-43643: AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources2023-10-09

📋Vendor Advisories

2
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (AntiSamy) — CVE-2023-436432024-01-15
Debian
CVE-2023-43643: libowasp-antisamy-java - AntiSamy is a library for performing fast, configurable cleansing of HTML coming...2023
CVE-2023-43643 — Cross-site Scripting | cvebase