Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-M6XF-FQ7Q-8743
HistoryMar 24, 2020 - 3:06 p.m.

mutation XSS via whitelisted math or svg and raw tag in Bleach

2020-03-2415:06:32
Google
osv.dev
14

0.002 Low

EPSS

Percentile

59.1%

JSON

Impact

A mutation XSS affects users calling bleach.clean with all of:

  • the svg or math in the allowed/whitelisted tags
  • an RCDATA tag (see below) in the allowed/whitelisted tags
  • the keyword argument strip=False

Patches

Users are encouraged to upgrade to bleach v3.1.2 or greater.

Workarounds

  • modify bleach.clean calls to use strip=True, or not whitelist math or svg tags and one or more of the following tags:
script
noscript
style
noframes
xmp
noembed
iframe

References

Credits

  • Reported by Yaniv Nizry from the CxSCA AppSec group at Checkmarx

For more information

If you have any questions or comments about this advisory:

CPENameOperatorVersion
bleacheq1.0.3
bleacheq2.1.3
bleacheq0.3
bleacheq3.1.0
bleacheq0.1.1
bleacheq1.5.0
bleacheq0.2
bleacheq0.3.3
bleacheq0.5.0
bleacheq1.0.0
Rows per page:
1-10 of 421

Related

alpinelinux 1
debian 2
github 1
ubuntucve 1
redhatcve 1
debiancve 1
nvd 1
nessus 2
osv 3
cvelist 1
openvas 4
cve 1
fedora 1
veracode 1
prion 1
ibm 1
mageia 1
suse 2
alpinelinux
alpinelinux
CVE-2020-6816
2020-03-24 22:15:12
debian
debian
[SECURITY] [DSA 4643-1] python-bleach security update
2020-03-20 20:03:13
[SECURITY] [DSA 4643-1] python-bleach security update
2020-03-20 20:03:13
github
github
mutation XSS via whitelisted math or svg and raw tag in Bleach
2020-03-24 15:06:32
ubuntucve
ubuntucve
CVE-2020-6816
2020-03-24 00:00:00
redhatcve
redhatcve
CVE-2020-6816
2022-05-20 23:42:16
debiancve
debiancve
CVE-2020-6816
2020-03-24 22:15:12
nvd
nvd
CVE-2020-6816
2020-03-24 22:15:12
nessus
nessus
Debian DSA-4643-1 : python-bleach - security update
2020-03-23 00:00:00
openSUSE Security Update : python-bleach (openSUSE-2021-552)
2021-04-15 00:00:00
osv
osv
PYSEC-2020-28
2020-03-24 22:15:00
python-bleach - security update
2020-03-20 00:00:00
CVE-2020-6816
2020-03-24 22:15:12
cvelist
cvelist
CVE-2020-6816
2020-03-24 21:15:40
openvas
openvas
Fedora: Security Advisory for python-bleach (FEDORA-2020-e0f35d634c)
2020-10-24 00:00:00
Debian: Security Advisory (DSA-4643-1)
2020-03-21 00:00:00
Mageia: Security Advisory (MGASA-2020-0176)
2022-01-28 00:00:00
cve
cve
CVE-2020-6816
2020-03-24 22:15:12
fedora
fedora
[SECURITY] Fedora 33 Update: python-bleach-3.2.1-1.fc33
2020-10-23 22:20:49
veracode
veracode
Cross-Site Scripting (XSS)
2020-03-20 05:26:58
prion
prion
Cross site scripting
2020-03-24 22:15:00
ibm
ibm
Security Bulletin: A security vulnerability has been identified in Bleach shipped with IBM Watson Machine Learning Community Edition (WMLCE)
2020-05-19 17:00:30
mageia
mageia
Updated python-bleach packages fix security vulnerability
2020-04-20 17:02:32
suse
suse
Security update for python-bleach (important)
2021-04-14 00:00:00
Security update for python-bleach (important)
2021-04-18 00:00:00

0.002 Low

EPSS

Percentile

59.1%

JSON
Related for OSV:GHSA-M6XF-FQ7Q-8743
alpinelinux1debian2github1ubuntucve1redhatcve1debiancve1nvd1nessus2osv3cvelist1openvas4cve1fedora1veracode1prion1ibm1mageia1suse2