CVE-2023-51652

Summary

The vulnerability with CVE ID CVE-2023-51652 affects OWASP AntiSamy .NET library versions prior to 1.2.0. It is a mutation cross-site scripting (mXSS) vulnerability caused by flawed parsing of HTML during the sanitization process. The vulnerability can be exploited when the `preserveComments` directive is enabled in the policy file and certain tags are allowed at the same time. Crafty inputs can lead to executable elements being interpreted within comment tags in AntiSamy's sanitized output. The vulnerability has been patched in OWASP AntiSamy .NET 1.2.0 and later versions. As a temporary workaround, users can manually edit the AntiSamy policy file by removing or setting the value of `preserveComments` directive to `false`. Additionally, it is recommended to remove the `noscript` tag by following instructions provided in the GitHub Security Advisory. This vulnerability poses a medium risk with a base severity score of 6.1, requiring user interaction and having low impacts on integrity and confidentiality of an organization's systems.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.