5 results (0.016 seconds)

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1

bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}). • https://bugzilla.mozilla.org/show_bug.cgi?id=1623633 https://github.com/mozilla/bleach/security/advisories/GHSA-vqhp-cxgc-6wmm • CWE-1333: Inefficient Regular Expression Complexity •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True. • https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2021-23980 https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq https://access.redhat.com/security/cve/CVE-2021-23980 https://bugzilla.redhat.com/show_bug.cgi?id=1925252 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 2

In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False. En Mozilla Bleach versiones anteriores a 3.12, una mutación de XSS en bleach.clean cuando RCDATA y las etiquetas svg o math están en la lista blanca y el argumento de la palabra clave strip=False. • https://advisory.checkmarx.net/advisory/CX-2020-4277 https://github.com/mozilla/bleach/security/advisories/GHSA-m6xf-fq7q-8743 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EDQU2SZLZMSSACCBUBJ6NOSRNNBDYFW5 https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 2

In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option. En Mozilla Bleach versiones anteriores a 3.11, una mutación de XSS afecta a usuarios que llaman a bleach.clean con noscript y una etiqueta sin procesar en la opción de etiquetas allowed/whitelisted. • https://advisory.checkmarx.net/advisory/CX-2020-4276 https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCNLM2MGQTOLCIVVYS2Z5S7KOQJR5JC4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTULPQB7HVPPYWEYVNHJGDTSPVIDHIZX https://www.checkmarx.com/blog/vulnerabilities& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0

An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized. Se ha descubierto un problema en Bleach, en versiones 2.1.x anteriores a la 2.1.3. Los atributos que tienen valores URI no se sanearon correctamente si los valores contenían entidades de caracteres. • https://bugs.debian.org/892252 https://github.com/mozilla/bleach/commit/c5df5789ec3471a31311f42c2d19fc2cf21b35ef https://github.com/mozilla/bleach/releases/tag/v2.1.3 • CWE-20: Improper Input Validation •