GHSA-GJ48-438W-JH9V Bleach clean() / Cleaner() fails to sanitize dangerous URI schemes in allowed formaction attributes

Summary Bleach clean / Cleaner fails to sanitize dangerous URI schemes in allowed formaction attributes. Bleach applies URI protocol sanitization only to attributes listed in attrvalisuri. While URI-bearing attributes such as action, href, src, and poster are included in that set, formaction is...

GHSA-8RFP-98V4-MMR6 Bleach: URI sanitization allows disallowed URI schemes with Unicode > U+00A0 in output

Impact A possible XSS bypass affects users calling bleach.clean with all of: a in the allowed tags href in allowed attributes The bleach.clean sanitizer outputs URIs containing disallowed scheme patterns that it should be stripping. However, because the inserted Unicode characters make the scheme...

Astra Linux - уязвимость в python-bleach

A mutation XSS affects users who call bleachclean with any of the following tags: svg or math within the allowed tags p or br in allowed tags, style, title, noscript, script, textarea, noframes, iframe, or xmp within allowed tags. The keyword argument is stripcomments=False. Note: None of the abo...

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : Bleach vulnerabilities (USN-8077-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8077-1 advisory. It was discovered that Bleach did not properly sanitize URI attributes containing character entities. An attacker could possibly...

Ubuntu: Security Advisory (USN-8077-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

USN-8077-1: Bleach vulnerabilities

It was discovered that Bleach did not properly sanitize URI attributes containing character entities. An attacker could possibly use this issue to construct a URI with a disallowed scheme that would bypass sanitization, leading to cross-site scripting. This issue only affected Ubuntu 18.04 LTS...

EUVD-2020-0055

Malware in sbrugna...

EUVD-2020-0054

Malware in sbrugna...

EUVD-2018-0026

Malware in sbrugna...

EUVD-2021-0036

Malware in sbrugna...

EUVD-2020-0056

Malware in sbrugna...

EUVD-2018-15504

Malware in sbrugna...

A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.

...

Linux Distros Unpatched Vulnerability : CVE-2018-7753

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Usi...

Linux Distros Unpatched Vulnerability : CVE-2020-6802

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option. CVE-2020-68...

Linux Distros Unpatched Vulnerability : CVE-2020-6817

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - bleach.clean behavior parsing style attributes could result in a regular expression denial of service ReDoS. Calls to bleach.clean with an allowed tag with an...

Linux Distros Unpatched Vulnerability : CVE-2020-6816

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False...

Linux Distros Unpatched Vulnerability : CVE-2021-23980

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea,...

OPENSUSE-SU-2024:14134-1 python310-bleach-6.1.0-1.5 on GA media

These are all security issues fixed in the python310-bleach-6.1.0-1.5 package on the GA media of openSUSE Tumbleweed...

OPENSUSE-SU-2024:11219-1 python36-bleach-3.3.0-1.4 on GA media

These are all security issues fixed in the python36-bleach-3.3.0-1.4 package on the GA media of openSUSE Tumbleweed...