Antisamyproject Antisamy
By the Year
In 2024 there have been 1 vulnerability in Antisamyproject Antisamy with an average score of 6.1 out of ten. Last year Antisamy had 1 security vulnerability published. At the current rates, it appears that the number of vulnerabilities last year and this year may equal out. Interestingly, the average vulnerability score and the number of vulnerabilities for 2024 and last year was the same.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 1 | 6.10 |
2023 | 1 | 6.10 |
2022 | 3 | 6.57 |
2021 | 1 | 6.10 |
2020 | 0 | 0.00 |
2019 | 0 | 0.00 |
2018 | 0 | 0.00 |
It may take a day or so for new Antisamy vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Antisamyproject Antisamy Security Vulnerabilities
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources
CVE-2024-23635
6.1 - Medium
- February 02, 2024
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to 1.7.5, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. Patched in AntiSamy 1.7.5 and later.
XSS
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources
CVE-2023-43643
6.1 - Medium
- October 09, 2023
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to version 1.7.4, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file and also allow for certain tags at the same time. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. This issue has been patched in AntiSamy 1.7.4 and later.
XSS
OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input
CVE-2022-29577
6.1 - Medium
- April 21, 2022
OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367.
XSS
OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input
CVE-2022-28367
6.1 - Medium
- April 21, 2022
OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.
XSS
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input
CVE-2022-28366
7.5 - High
- April 21, 2022
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected)
CVE-2021-35043
6.1 - Medium
- July 19, 2021
OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with : as the replacement for the : character.
XSS
OWASP AntiSamy before 1.5.7
CVE-2017-14735
6.1 - Medium
- September 25, 2017
OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of : to construct a javascript: URL.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Antisamyproject Antisamy or by Antisamyproject? Click the Watch button to subscribe.