AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to 1.7.5, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. Patched in AntiSamy 1.7.5 and later.
References
Link | Resource |
---|---|
https://github.com/nahsra/antisamy/security/advisories/GHSA-2mrq-w8pv-5pvq | Mitigation Third Party Advisory |
Configurations
History
10 Feb 2024, 01:38
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
First Time |
Antisamy Project
Antisamy Project antisamy |
|
CPE | cpe:2.3:a:antisamy_project:antisamy:*:*:*:*:*:*:*:* | |
References | () https://github.com/nahsra/antisamy/security/advisories/GHSA-2mrq-w8pv-5pvq - Mitigation, Third Party Advisory |
02 Feb 2024, 17:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-02-02 17:15
Updated : 2024-02-28 20:54
NVD link : CVE-2024-23635
Mitre link : CVE-2024-23635
CVE.ORG link : CVE-2024-23635
JSON object : View
Products Affected
antisamy_project
- antisamy
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')