CVE-2024-23635

AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to 1.7.5, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the preserveComments directive must be enabled in your policy file. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. Patched in AntiSamy 1.7.5 and later.

Published: Feb 2, 2024
Updated: May 4, 2025
CVE: CVE-2024-23635
GHSA: GHSA-2mrq-w8pv-5pvq
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
org.owasp.antisamy / antisamy	-	1.7.5
antisamy_project / antisamy	-	1.7.5

https://github.com/nahsra/antisamy/commit/12a2e31d3855430c119480655c2bbbbb79a66ecd
https://github.com/nahsra/antisamy/commit/3e84410ed06ab67f0a4cc3183c67528210f4847d
https://github.com/nahsra/antisamy/security/advisories/GHSA-2mrq-w8pv-5pvq

Vulnerability Database

289,599

CVE-2024-23635