libowasp-antisamy-java: CVE-2023-43643

Debian Bug report logs - #1054164
libowasp-antisamy-java: CVE-2023-43643

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libowasp-antisamy-java: CVE-2023-43643

Date: Wed, 18 Oct 2023 15:32:17 +0200

Source: libowasp-antisamy-java
Version: 1.5.3+dfsg-1.1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for libowasp-antisamy-java.

Note: The severity is set to RC, though 'important' would better fit.
It looks that in each supported version in Debian we are still at
1.5.3. Is the library still maintained within Debian?

CVE-2023-43643[0]:
| AntiSamy is a library for performing fast, configurable cleansing of
| HTML coming from untrusted sources. Prior to version 1.7.4, there is
| a potential for a mutation XSS (mXSS) vulnerability in AntiSamy
| caused by flawed parsing of the HTML being sanitized. To be subject
| to this vulnerability the `preserveComments` directive must be
| enabled in your policy file and also allow for certain tags at the
| same time. As a result, certain crafty inputs can result in elements
| in comment tags being interpreted as executable when using
| AntiSamy's sanitized output. This issue has been patched in AntiSamy
| 1.7.4 and later.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-43643
    https://www.cve.org/CVERecord?id=CVE-2023-43643
[1] https://github.com/nahsra/antisamy/security/advisories/GHSA-pcf2-gh6g-h5r2
[2] https://github.com/nahsra/antisamy/commit/05c52b98bb845b8175b8406bd2f391ce334a05d6

Regards,
Salvatore

Send a report that this bug log contains spam.