Lucene search

Veracode Vulnerability DatabaseVERACODE:43708

HistoryOct 10, 2023 - 6:35 a.m.

Cross Site Scripting

2023-10-1006:35:38

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

antisamy

cross site scripting

html parsing

vulnerability

javascript

comment tags

policy file

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

12.7%

JSON

AntiSamy is vulnerable to Cross Site Scripting. The vulnerability arises due to flawed parsing of the HTML being sanitized. As a result an attacker can execute malicious JavaScript on client side by using certain crafty inputs resulting in elements in comment tags being interpreted as executable when using AntiSamy’s sanitized output. The preserveComments directive must be enabled in the AntiSamy policy file (e.g., antisamy.xml) to get subjected to this vulnerability.

CPENameOperatorVersion
owasp antisamyle1.7.3
owasp antisamyle1.7.3
libowasp-antisamy-java:sideq1.5.3+dfsg-1

Name	Operator	Version
owasp antisamy	le	1.7.3
owasp antisamy	le	1.7.3
libowasp-antisamy-java:sid	eq	1.5.3+dfsg-1

References

github.com/advisories/GHSA-pcf2-gh6g-h5r2

github.com/nahsra/antisamy/commit/05c52b98bb845b8175b8406bd2f391ce334a05d6

github.com/nahsra/antisamy/releases/tag/v1.7.4

github.com/nahsra/antisamy/security/advisories/GHSA-pcf2-gh6g-h5r2

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

12.7%

JSON

Related for VERACODE:43708