{"id":"UBUNTU-CVE-2023-43643","details":"AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to version 1.7.4, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file and also allow for certain tags at the same time. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. This issue has been patched in AntiSamy 1.7.4 and later.","modified":"2026-05-20T16:13:50.511071451Z","published":"2023-10-09T14:15:00Z","upstream":["CVE-2023-43643"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-43643"},{"type":"REPORT","url":"https://github.com/nahsra/antisamy/security/advisories/GHSA-pcf2-gh6g-h5r2"},{"type":"REPORT","url":"https://github.com/nahsra/antisamy/commit/05c52b98bb845b8175b8406bd2f391ce334a05d6"},{"type":"REPORT","url":"https://github.com/nahsra/antisamy/releases/tag/v1.7.4"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2023-43643"}],"affected":[{"package":{"name":"libowasp-antisamy-java","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/libowasp-antisamy-java?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.5.3+dfsg-1"],"ecosystem_specific":{"binaries":[{"binary_name":"libowasp-antisamy-java","binary_version":"1.5.3+dfsg-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-43643.json"}},{"package":{"name":"libowasp-antisamy-java","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/libowasp-antisamy-java?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.5.3+dfsg-1"],"ecosystem_specific":{"binaries":[{"binary_name":"libowasp-antisamy-java","binary_version":"1.5.3+dfsg-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-43643.json"}},{"package":{"name":"libowasp-antisamy-java","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/libowasp-antisamy-java?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.5.3+dfsg-1"],"ecosystem_specific":{"binaries":[{"binary_name":"libowasp-antisamy-java","binary_version":"1.5.3+dfsg-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-43643.json"}},{"package":{"name":"libowasp-antisamy-java","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/libowasp-antisamy-java?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.5.3+dfsg-1.1"],"ecosystem_specific":{"binaries":[{"binary_name":"libowasp-antisamy-java","binary_version":"1.5.3+dfsg-1.1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-43643.json"}},{"package":{"name":"libowasp-antisamy-java","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/libowasp-antisamy-java?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.5.3+dfsg-1.1","1.7.4-1"],"ecosystem_specific":{"binaries":[{"binary_name":"libowasp-antisamy-java","binary_version":"1.7.4-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-43643.json"}},{"package":{"name":"libowasp-antisamy-java","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/libowasp-antisamy-java?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.7.4-1"],"ecosystem_specific":{"binaries":[{"binary_name":"libowasp-antisamy-java","binary_version":"1.7.4-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-43643.json"}},{"package":{"name":"libowasp-antisamy-java","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/libowasp-antisamy-java?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.7.4-1"],"ecosystem_specific":{"binaries":[{"binary_name":"libowasp-antisamy-java","binary_version":"1.7.4-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-43643.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"type":"Ubuntu","score":"medium"}]}