bluemonday before 1.0.5 allows XSS because certain Go lowercasing converts an uppercase Cyrillic character, defeating a protection mechanism against the “script” string.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/microcosm-cc/bluemonday | lt | 1.0.5 |
github.com/microcosm-cc/bluemonday/commit/524f142fe46e945b7dcd291d7805c4b7dcf75bee
github.com/microcosm-cc/bluemonday/issues/111
github.com/microcosm-cc/bluemonday/releases/tag/v1.0.5
nvd.nist.gov/vuln/detail/CVE-2021-29272
pkg.go.dev/vuln/GO-2022-0762
vuln.ryotak.me/advisories/4
vuln.ryotak.me/advisories/4.txt