CVE-2024-23635
published 2024-02-02CVE-2024-23635: AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to 1.7.5, there is a potential for a mutation…
PriorityP426medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.37%
28.6th percentile
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to 1.7.5, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. Patched in AntiSamy 1.7.5 and later.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| antisamy_project | antisamy | < 1.7.5 | 1.7.5 |
| debian | libowasp-antisamy-java | — | — |
| nahsra | antisamy | < 1.7.5 | 1.7.5 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_oracle6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (AntiSamy) — CVE-2024-23635
vendor_oracle·2025-01-15·CVSS 6.1
CVE-2024-23635 [MEDIUM] Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (AntiSamy) — CVE-2024-23635
Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (AntiSamy) vulnerability
CVE: CVE-2024-23635
CVSS: 6.1
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2025 (JAN 2025)
Oracle
Oracle Oracle Systems Risk Matrix: Tools (AntiSamy) — CVE-2024-23635
vendor_oracle·2024-10-15·CVSS 6.1
CVE-2024-23635 [MEDIUM] Oracle Oracle Systems Risk Matrix: Tools (AntiSamy) — CVE-2024-23635
Oracle Oracle Systems Risk Matrix: Tools (AntiSamy) vulnerability
CVE: CVE-2024-23635
CVSS: 6.1
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2024 (OCT 2024)
Oracle
Oracle Oracle Insurance Applications Risk Matrix: Architecture (AntiSamy) — CVE-2024-23635
vendor_oracle·2024-07-15·CVSS 6.1
CVE-2024-23635 [MEDIUM] Oracle Oracle Insurance Applications Risk Matrix: Architecture (AntiSamy) — CVE-2024-23635
Oracle Oracle Insurance Applications Risk Matrix: Architecture (AntiSamy) vulnerability
CVE: CVE-2024-23635
CVSS: 6.1
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2024 (JUL 2024)
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Web UI (AntiSamy) — CVE-2024-23635
vendor_oracle·2024-04-15·CVSS 6.1
CVE-2024-23635 [MEDIUM] Oracle Oracle Financial Services Applications Risk Matrix: Web UI (AntiSamy) — CVE-2024-23635
Oracle Oracle Financial Services Applications Risk Matrix: Web UI (AntiSamy) vulnerability
CVE: CVE-2024-23635
CVSS: 6.1
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2024 (APR 2024)
Debian
CVE-2024-23635: libowasp-antisamy-java - AntiSamy is a library for performing fast, configurable cleansing of HTML coming...
vendor_debian·2024·CVSS 6.1
CVE-2024-23635 [MEDIUM] CVE-2024-23635: libowasp-antisamy-java - AntiSamy is a library for performing fast, configurable cleansing of HTML coming...
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to 1.7.5, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. Patched in AntiSamy 1.7.5 and later.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
GHSA
Malicious input can provoke XSS when preserving comments
ghsa·2024-02-02
CVE-2024-23635 [MEDIUM] CWE-79 Malicious input can provoke XSS when preserving comments
Malicious input can provoke XSS when preserving comments
# Impact
There is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output.
# Patches
Patched in AntiSamy 1.7.5 and later. This is due to parsing behavior in the [neko-htmlunit](https://github.com/HtmlUnit/htmlunit-neko) dependency, just by updating to a newer version the issue was solved. See important remediation details in the reference given below.
# Workarounds
If you cannot upgrade to a fixed version of the library,
OSV
CVE-2024-23635: AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources
osv·2024-02-02·CVSS 6.1
CVE-2024-23635 [MEDIUM] CVE-2024-23635: AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to 1.7.5, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. Patched in AntiSamy 1.7.5 and later.
OSV
Malicious input can provoke XSS when preserving comments
osv·2024-02-02
CVE-2024-23635 [MEDIUM] Malicious input can provoke XSS when preserving comments
Malicious input can provoke XSS when preserving comments
# Impact
There is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output.
# Patches
Patched in AntiSamy 1.7.5 and later. This is due to parsing behavior in the [neko-htmlunit](https://github.com/HtmlUnit/htmlunit-neko) dependency, just by updating to a newer version the issue was solved. See important remediation details in the reference given below.
# Workarounds
If you cannot upgrade to a fixed version of the library,
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-02-02
Published