Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-43643
HistoryOct 09, 2023 - 12:00 a.m.

CVE-2023-43643

2023-10-0900:00:00
ubuntu.com
ubuntu.com
9
antisamy
html cleansing
mxss
preservecomments
policy file
executable elements
security patch
unix

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0

Percentile

12.6%

AntiSamy is a library for performing fast, configurable cleansing of HTML
coming from untrusted sources. Prior to version 1.7.4, there is a potential
for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed
parsing of the HTML being sanitized. To be subject to this vulnerability
the preserveComments directive must be enabled in your policy file and
also allow for certain tags at the same time. As a result, certain crafty
inputs can result in elements in comment tags being interpreted as
executable when using AntiSamy’s sanitized output. This issue has been
patched in AntiSamy 1.7.4 and later.

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0

Percentile

12.6%