CVE-2024-23635

AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to 1.7.5, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. Patched in AntiSamy 1.7.5 and later.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:antisamy_project:antisamy:*:*:*:*:*:*:*:*

History

10 Feb 2024, 01:38

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.1
First Time Antisamy Project
Antisamy Project antisamy
CPE cpe:2.3:a:antisamy_project:antisamy:*:*:*:*:*:*:*:*
References () https://github.com/nahsra/antisamy/security/advisories/GHSA-2mrq-w8pv-5pvq - () https://github.com/nahsra/antisamy/security/advisories/GHSA-2mrq-w8pv-5pvq - Mitigation, Third Party Advisory

02 Feb 2024, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-02 17:15

Updated : 2024-02-28 20:54


NVD link : CVE-2024-23635

Mitre link : CVE-2024-23635

CVE.ORG link : CVE-2024-23635


JSON object : View

Products Affected

antisamy_project

  • antisamy
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')