CVE-2023-43643

NameCVE-2023-43643
DescriptionAntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to version 1.7.4, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file and also allow for certain tags at the same time. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. This issue has been patched in AntiSamy 1.7.4 and later.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1054164

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libowasp-antisamy-java (PTS)jessie, buster, stretch1.5.3+dfsg-1vulnerable
bullseye, bookworm1.5.3+dfsg-1.1vulnerable
sid, trixie1.7.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libowasp-antisamy-javasourcejessie(unfixed)end-of-life
libowasp-antisamy-javasourcestretch(unfixed)end-of-life
libowasp-antisamy-javasource(unstable)1.7.4-11054164

Notes

[bookworm] - libowasp-antisamy-java <no-dsa> (Minor issue)
[bullseye] - libowasp-antisamy-java <no-dsa> (Minor issue)
[buster] - libowasp-antisamy-java <no-dsa> (Minor issue)
https://github.com/nahsra/antisamy/security/advisories/GHSA-pcf2-gh6g-h5r2
https://github.com/nahsra/antisamy/commit/05c52b98bb845b8175b8406bd2f391ce334a05d6 (v1.7.4)
Search for package or bug name: Reporting problems