Description

AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to version 1.7.4, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file and also allow for certain tags at the same time. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. This issue has been patched in AntiSamy 1.7.4 and later.

Remediation

References

https://github.com/nahsra/antisamy/security/advisories/GHSA-pcf2-gh6g-h5r2

https://github.com/nahsra/antisamy/releases/tag/v1.7.4

Related Vulnerabilities

CVE-2021-23378 Vulnerability in npm package picotts

CVE-2018-3721 Vulnerability in npm package @sailshq/lodash

CVE-2023-35165 Vulnerability in npm package aws-cdk-lib

CVE-2023-46233 Vulnerability in npm package crypto-js

CVE-2020-7636 Vulnerability in npm package adb-driver

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Exploit Mitigation Product Vendor Advisory Patch