8 matches found
CVE-2024-23635
CVE-2024-23635 affects AntiSamy prior to version 1.7.5, due to flawed HTML parsing when preserveComments is enabled, enabling potential mutation XSS. The connected IBM advisories confirm the issue and indicate the fix is to upgrade AntiSamy to 1.7.5 or newer. Practical impact is cross-site script...
CVE-2022-28366
CVE-2022-28366 affects Neko HTML parsers used by HtmlUnit-Neko (up to 2.26; fixed in 2.27) and by CyberNeko HTML (up to 1.9.22; 1.9.22 is the last release). The issue is a denial of service via crafted Processing Instruction input that leads to excessive heap memory consumption. OWASP AntiSamy be...
CVE-2022-29577
AntiSamy vulnerability CVE-2022-29577 affects AntiSamy before 1.6.7, allowing cross-site scripting via HTML/CSS content smuggling in STYLE content. The flaw stems from incomplete encoding in the output serializer for CSS/CSS-like input, enabling an attacker to execute script in the victim’s brows...
CVE-2022-28367
CVE-2022-28367 affects the OWASP AntiSamy library (pre-1.6.6) and enables cross-site scripting by smuggling CSS (STYLE) content; the output serializer fails to properly encode CSS content. Multiple connected sources (Nessus, IBM advisories, GitHub GHSA entries) corroborate XSS via STYLE/CSS input...
CVE-2021-35043
CVE-2021-35043 affects OWASP AntiSamy prior to 1.6.4. The issue is a cross-site scripting (XSS) flaw in the HTML output serializer where HTML attributes can be exploited, demonstrated by a javascript: URL substituted via : for the colon character. The vulnerability is documented in OSV (GHS...
CVE-2017-14735
CVE-2017-14735 affects OWASP AntiSamy prior to version 1.5.7, enabling XSS via HTML5 entities (e.g., using : to construct a javascript: URL). The connected data show affected bundles in Crucible prior to 4.7.1 and other Atlassian integrations, indicating the vulnerability can exist in embedded An...
CVE-2023-43643
CVE-2023-43643 concerns AntiSamy, a library for cleansing HTML. The connected documents confirm a mutation XSS (mXSS) vulnerability in Ant iSamy prior to 1.7.4 when preserveComments is enabled and certain tags are allowed, allowing crafted inputs to make comment-tag elements executable in sanitiz...
CVE-2016-10006
CVE-2016-10006 affects the HTML/CSS sanitizer library in OWASP AntiSamy prior to version 1.5.5. A specially crafted input (a tag that supports style with active content) could bypass protections and cause executable code to be executed in the context of affected applications, yielding a Cross‑Sit...