CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-6817
https://notcve.org/view.php?id=CVE-2020-6817
bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}). • https://bugzilla.mozilla.org/show_bug.cgi?id=1623633 https://github.com/mozilla/bleach/security/advisories/GHSA-vqhp-cxgc-6wmm • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-23980 – python-bleach: Mutation cross-site scripting in bleach.clean
https://notcve.org/view.php?id=CVE-2021-23980
A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True. • https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2021-23980 https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq https://access.redhat.com/security/cve/CVE-2021-23980 https://bugzilla.redhat.com/show_bug.cgi?id=1925252 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 2CVE-2020-6816
https://notcve.org/view.php?id=CVE-2020-6816
In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False. En Mozilla Bleach versiones anteriores a 3.12, una mutación de XSS en bleach.clean cuando RCDATA y las etiquetas svg o math están en la lista blanca y el argumento de la palabra clave strip=False. • https://advisory.checkmarx.net/advisory/CX-2020-4277 https://github.com/mozilla/bleach/security/advisories/GHSA-m6xf-fq7q-8743 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EDQU2SZLZMSSACCBUBJ6NOSRNNBDYFW5 https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 2CVE-2020-6802
https://notcve.org/view.php?id=CVE-2020-6802
In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option. En Mozilla Bleach versiones anteriores a 3.11, una mutación de XSS afecta a usuarios que llaman a bleach.clean con noscript y una etiqueta sin procesar en la opción de etiquetas allowed/whitelisted. • https://advisory.checkmarx.net/advisory/CX-2020-4276 https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCNLM2MGQTOLCIVVYS2Z5S7KOQJR5JC4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTULPQB7HVPPYWEYVNHJGDTSPVIDHIZX https://www.checkmarx.com/blog/vulnerabilities& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2018-7753
https://notcve.org/view.php?id=CVE-2018-7753
An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized. Se ha descubierto un problema en Bleach, en versiones 2.1.x anteriores a la 2.1.3. Los atributos que tienen valores URI no se sanearon correctamente si los valores contenían entidades de caracteres. • https://bugs.debian.org/892252 https://github.com/mozilla/bleach/commit/c5df5789ec3471a31311f42c2d19fc2cf21b35ef https://github.com/mozilla/bleach/releases/tag/v2.1.3 • CWE-20: Improper Input Validation •