GoogleOSV:GO-2022-0588Cross-site scripting via leaked style elements in github.com/microcosm-cc/bluemonday
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
5.7 Medium
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
71.7%
The bluemonday HTML sanitizer can leak the contents of a “style” element into HTML output, potentially causing XSS vulnerabilities.
The default bluemonday sanitization policies are not vulnerable. Only user-defined policies allowing “select”, “style”, and “option” elements are affected.
Permitting the “style” element in policies is hazardous, because bluemonday does not contain a CSS sanitizer. Newer versions of bluemonday suppress “style” and “script” elements even when allowed by a policy unless the policy explicitly requests unsafe processing.
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/microcosm-cc/bluemonday | lt | 1.0.16 |
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
5.7 Medium
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
71.7%