Vulnerability Details : CVE-2023-43643
Potential exploit
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to version 1.7.4, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file and also allow for certain tags at the same time. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. This issue has been patched in AntiSamy 1.7.4 and later.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2023-43643
- cpe:2.3:a:antisamy_project:antisamy:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-43643
0.46%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 63 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-43643
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | |
|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
GitHub, Inc. |
CWE ids for CVE-2023-43643
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-43643
-
https://github.com/nahsra/antisamy/releases/tag/v1.7.4
Release Release version 1.7.4 · nahsra/antisamy · GitHubPatch
-
https://github.com/nahsra/antisamy/security/advisories/GHSA-pcf2-gh6g-h5r2
mXSS when preserving comments · Advisory · nahsra/antisamy · GitHubExploit;Mitigation;Product;Vendor Advisory
Jump to