CVE-2023-43643

Exploit

EPSS 0.46%
Published 09.10.2023 14:15:10
Last modified 21.11.2024 08:24:31
Source security-advisories@github.com
Teams watchlist Login
Open Login

AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to version 1.7.4, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file and also allow for certain tags at the same time. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. This issue has been patched in AntiSamy 1.7.4 and later.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Antisamy Project ≫ Antisamy Version < 1.7.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.46%	0.63

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/nahsra/antisamy/releases/tag/v1.7.4

Patch

https://github.com/nahsra/antisamy/security/advisories/GHSA-pcf2-gh6g-h5r2

Vendor Advisory

Exploit

Product

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2023-43643

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-43643

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-43643

EUVD