CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23635 – AntiSamy malicious input can provoke XSS when preserving comments
https://notcve.org/view.php?id=CVE-2024-23635
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to 1.7.5, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. Patched in AntiSamy 1.7.5 and later. • https://github.com/nahsra/antisamy/security/advisories/GHSA-2mrq-w8pv-5pvq • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-43643 – mXSS in AntiSamy
https://notcve.org/view.php?id=CVE-2023-43643
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to version 1.7.4, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file and also allow for certain tags at the same time. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. This issue has been patched in AntiSamy 1.7.4 and later. • https://github.com/nahsra/antisamy/releases/tag/v1.7.4 https://github.com/nahsra/antisamy/security/advisories/GHSA-pcf2-gh6g-h5r2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2022-29577
https://notcve.org/view.php?id=CVE-2022-29577
OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367. OWASP AntiSamy versiones anteriores a 1.6.7, permite un ataque de tipo XSS por medio de contrabando de etiquetas HTML en contenido STYLE con entrada diseñada. El serializador de salida no codifica correctamente el supuesto contenido de las hojas de estilo en cascada (CSS). • https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0 https://github.com/nahsra/antisamy/releases/tag/v1.6.7 https://www.oracle.com/security-alerts/cpujul2022.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-28367
https://notcve.org/view.php?id=CVE-2022-28367
OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. OWASP AntiSamy versiones anteriores a 1.6.6, permite un ataque de tipo XSS por medio de contrabando de etiquetas HTML en contenido STYLE con entrada diseñada. El serializador de salida no codifica apropiadamente el supuesto contenido de las hojas de estilo en cascada (CSS) • https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae https://github.com/nahsra/antisamy/releases/tag/v1.6.6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-28366
https://notcve.org/view.php?id=CVE-2022-28366
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839. Algunos analizadores de HTML relacionados con Neko permiten una denegación de servicio a través de una entrada de instrucción de procesamiento (PI) manipulada que provoca un consumo excesivo de memoria de la pila. • https://github.com/nahsra/antisamy/releases/tag/v1.6.6 https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunit https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27 •