Lucene search

GoogleOSV:GHSA-Q65M-PV3F-WR5R

HistoryFeb 24, 2020 - 5:33 p.m.

XSS in Bleach when noscript and raw tag whitelisted

2020-02-2417:33:44

Google

osv.dev

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

74.1%

JSON

Impact

A mutation XSS affects users calling bleach.clean with noscript and a raw tag (see below) in the allowed/whitelisted tags option.

Patches

v3.1.1

Workarounds

modify bleach.clean calls to not whitelist noscript and one or more of the following raw tags:

title
textarea
script
style
noembed
noframes
iframe
xmp

A strong Content-Security-Policy without unsafe-inline and unsafe-eval script-srcs) will also help mitigate the risk.

References

Credits

Reported by Yaniv Nizry from the CxSCA AppSec group at Checkmarx

For more information

If you have any questions or comments about this advisory:

Open an issue at https://github.com/mozilla/bleach/issues
Email us at [email protected]

CPENameOperatorVersion
bleacheq1.0.3
bleacheq2.1.3
bleacheq0.3
bleacheq3.1.0
bleacheq0.1.1
bleacheq1.5.0
bleacheq0.2
bleacheq0.3.3
bleacheq0.5.0
bleacheq1.0.0

Name	Operator	Version
bleach	eq	1.0.3
bleach	eq	2.1.3
bleach	eq	0.3
bleach	eq	3.1.0
bleach	eq	0.1.1
bleach	eq	1.5.0
bleach	eq	0.2
bleach	eq	0.3.3
bleach	eq	0.5.0
bleach	eq	1.0.0

Rows per page:

1-10 of 411

References

advisory.checkmarx.net/advisory/CX-2020-4276

bugzilla.mozilla.org/show_bug.cgi?id=1615315

cure53.de/fp170.pdf

github.com/mozilla/bleach

github.com/mozilla/bleach/commit/f77e0f6392177a06e46a49abd61a4d9f035e57fd

github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r

lists.fedoraproject.org/archives/list/[email protected]/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI

lists.fedoraproject.org/archives/list/[email protected]/message/OCNLM2MGQTOLCIVVYS2Z5S7KOQJR5JC4

lists.fedoraproject.org/archives/list/[email protected]/message/YTULPQB7HVPPYWEYVNHJGDTSPVIDHIZX

nvd.nist.gov/vuln/detail/CVE-2020-6802

www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

74.1%

JSON

Related for OSV:GHSA-Q65M-PV3F-WR5R