CVE-2024-23635: 
Java vulnerability analysis and mitigation

A mutation XSS (mXSS) vulnerability was discovered in AntiSamy versions prior to 1.7.5. The vulnerability (CVE-2024-23635) is caused by flawed parsing of HTML being sanitized when the preserveComments directive is enabled in the policy file (GitHub Advisory).

The vulnerability stems from parsing behavior in the neko-htmlunit dependency, where certain crafted inputs can result in elements within comment tags being interpreted as executable when using AntiSamy's sanitized output. The vulnerability has a CVSS v3.1 base score of 6.1, indicating moderate severity, with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This means it requires network access, has low attack complexity, needs no privileges, but requires user interaction, with potential impacts to confidentiality and integrity (GitHub Advisory).

When successfully exploited, this vulnerability can lead to cross-site scripting attacks through mutation of sanitized content. The impact primarily affects confidentiality and integrity at a low level, with no direct impact on availability. The vulnerability requires the preserveComments directive to be enabled in the policy file to be exploitable (GitHub Advisory).

The vulnerability has been patched in AntiSamy version 1.7.5 and later by updating the neko-htmlunit dependency. For users unable to upgrade immediately, a temporary workaround is available: manually edit the AntiSamy policy file (antisamy.xml) by either deleting the preserveComments directive or setting its value to false. However, this workaround is not recommended as a long-term solution as it doesn't address the root cause (GitHub Advisory).