CVE-2023-51652: 
C# vulnerability analysis and mitigation

OWASP AntiSamy .NET, a library for performing cleansing of HTML from untrusted sources, was found to contain a mutation cross-site scripting (mXSS) vulnerability (CVE-2023-51652) prior to version 1.2.0. The vulnerability was disclosed on January 2, 2024, and affects all versions of the library before 1.2.0 (GitHub Advisory).

The vulnerability is caused by flawed parsing of HTML being sanitized when the preserveComments directive is enabled in the policy file along with certain allowed tags. The issue allows crafted inputs to result in elements within comment tags being interpreted as executable code when using AntiSamy's sanitized output. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (GitHub Advisory).

When successfully exploited, this vulnerability could allow attackers to execute malicious JavaScript code in the context of the user's browser through mutation-based cross-site scripting attacks. This could potentially lead to unauthorized access to sensitive information, session hijacking, or other client-side attacks (GitHub Advisory).

The vulnerability has been patched in OWASP AntiSamy .NET version 1.2.0 and later. For users unable to upgrade immediately, a temporary workaround is available: manually edit the AntiSamy policy file (antisamy.xml) by either deleting the preserveComments directive or setting its value to false. Additionally, it is recommended to remove the noscript tag from the policy definitions. However, these workarounds don't address the root cause and rely on configurations that may change in the future, so upgrading to a fixed version is strongly recommended (GitHub Advisory).