Source: libowasp-antisamy-java Version: 1.5.3+dfsg-1.1 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for libowasp-antisamy-java. Note: The severity is set to RC, though 'important' would better fit. It looks that in each supported version in Debian we are still at 1.5.3. Is the library still maintained within Debian? CVE-2023-43643[0]: | AntiSamy is a library for performing fast, configurable cleansing of | HTML coming from untrusted sources. Prior to version 1.7.4, there is | a potential for a mutation XSS (mXSS) vulnerability in AntiSamy | caused by flawed parsing of the HTML being sanitized. To be subject | to this vulnerability the `preserveComments` directive must be | enabled in your policy file and also allow for certain tags at the | same time. As a result, certain crafty inputs can result in elements | in comment tags being interpreted as executable when using | AntiSamy's sanitized output. This issue has been patched in AntiSamy | 1.7.4 and later. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-43643 https://www.cve.org/CVERecord?id=CVE-2023-43643 [1] https://github.com/nahsra/antisamy/security/advisories/GHSA-pcf2-gh6g-h5r2 [2] https://github.com/nahsra/antisamy/commit/05c52b98bb845b8175b8406bd2f391ce334a05d6 Regards, Salvatore
