CVE-2024-23635Cross-site Scripting in Antisamy

CWE-79Cross-site Scripting10 documents6 sources
Severity
6.1MEDIUMNVD
EPSS
0.2%
top 63.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nahsra AntisamyAntisamy Project Antisamy
Timeline
PublishedFeb 2
Latest updateJan 15

Description

AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to 1.7.5, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5nahsra/antisamy< 1.7.5

🔴Vulnerability Details

4
CVEList
AntiSamy malicious input can provoke XSS when preserving comments2024-02-02
GHSA
Malicious input can provoke XSS when preserving comments2024-02-02
OSV
CVE-2024-23635: AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources2024-02-02
OSV
Malicious input can provoke XSS when preserving comments2024-02-02

📋Vendor Advisories

5
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (AntiSamy) — CVE-2024-236352025-01-15
Oracle
Oracle Oracle Systems Risk Matrix: Tools (AntiSamy) — CVE-2024-236352024-10-15
Oracle
Oracle Oracle Insurance Applications Risk Matrix: Architecture (AntiSamy) — CVE-2024-236352024-07-15
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Web UI (AntiSamy) — CVE-2024-236352024-04-15
Debian
CVE-2024-23635: libowasp-antisamy-java - AntiSamy is a library for performing fast, configurable cleansing of HTML coming...2024
CVE-2024-23635 — Cross-site Scripting in Antisamy | cvebase