EUVD-2018-0026

Malware in sbrugna...

Linux Distros Unpatched Vulnerability : CVE-2020-6816

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False...

SUSE CVE-2018-7753

An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized...

Cross-site Scripting

bleach is vulnerable to cross-site scripting XSS. An attacker is able to inject and execute malicious script by calling bleach.clean with all of 1 svg or math in the allowed tags 2 p or br in allowed tags 3style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags 4the...

abracadabra (>=0.0.0 <=0.0.5), adversarial-labeller (=0.1.8) +210 more potentially affected by CVE-2021-23980 via bleach (>=1.2.2 <=3.2.3)

bleach PYPI version =1.2.2, =0.0.0, =1.0.0, =0.0.1, =1.10.0, =0.1.0, =0.0.6, =0.3.0, =0.0.9, =0.3.4, =0.0.5, =0.1.0rc1, =0.1.3, =1.0.0 and more Source cves: CVE-2021-23980 Source advisory: OSV:GHSA-VV2X-VRPJ-QQPQ...

abracadabra (>=0.0.0 <=0.0.5), adversarial-labeller (=0.1.8) +210 more potentially affected by CVE-2021-23980 via bleach (>=1.2.2 <=3.2.3)

bleach PYPI version =1.2.2, =0.0.0, =1.0.0, =0.0.1, =1.10.0, =0.1.0, =0.0.6, =0.3.0, =0.0.9, =0.3.4, =0.0.5, =0.1.0rc1, =0.1.3, =1.0.0 and more Source cves: CVE-2021-23980 Source advisory: OSV:PYSEC-2021-865...

Regular Expression Denial-of-Service (ReDoS)

bleach is vulnerable to regular expression denial of service ReDoS. The vulnerability exists when parsing style attributes through sanitizecss...

adversarial-labeller (=0.1.8), alo7-airflow (>=1.10.0 <=1.10.0.7) +122 more potentially affected by CVE-2020-6817 via bleach (>=1.2.2 <=3.1.3)

bleach PYPI version =1.2.2, =1.10.0, =0.1.0, =0.0.6, =0.3.0, =0.0.9, =0.3.4, =0.0.5, =0.1.0rc1, =0.1.3, =0.0.1, =0.2.1, =0.4.3 - dbx-deploy =0.6.1 and more Source cves: CVE-2020-6817 Source advisory: OSV:GHSA-VQHP-CXGC-6WMM...

adversarial-labeller (=0.1.8), alo7-airflow (>=1.10.0 <=1.10.0.7) +122 more potentially affected by CVE-2020-6817 via bleach (>=1.2.2 <=3.1.3)

bleach PYPI version =1.2.2, =1.10.0, =0.1.0, =0.0.6, =0.3.0, =0.0.9, =0.3.4, =0.0.5, =0.1.0rc1, =0.1.3, =0.0.1, =0.2.1, =0.4.3 - dbx-deploy =0.6.1 and more Source cves: CVE-2020-6817 Source advisory: OSV:PYSEC-2020-340...

adversarial-labeller (=0.1.8), alo7-airflow (>=1.10.0 <=1.10.0.7) +113 more potentially affected by CVE-2020-6802 via bleach (>=1.2.2 <=3.1.0)

bleach PYPI version =1.2.2, =1.10.0, =0.1.0, =0.0.6, =0.3.0, =0.3.4, =0.0.5, =0.1.3, =0.0.1, =0.2.1, =1.0.2, =0.1.2, =1.0.7 and more Source cves: CVE-2020-6802 Source advisory: OSV:PYSEC-2020-27...

adversarial-labeller (=0.1.8), alo7-airflow (>=1.10.0 <=1.10.0.7) +122 more potentially affected by CVE-2020-6816 via bleach (>=1.2.2 <=3.1.1)

bleach PYPI version =1.2.2, =1.10.0, =0.1.0, =0.0.6, =0.3.0, =0.0.9, =0.3.4, =0.0.5, =0.1.0rc1, =0.1.3, =0.0.1, =0.2.1, =0.4.3 - dbx-deploy =0.6.1 and more Source cves: CVE-2020-6816 Source advisory: OSV:PYSEC-2020-28...

adversarial-labeller (=0.1.8), alo7-airflow (>=1.10.0 <=1.10.0.7) +122 more potentially affected by CVE-2020-6816 via bleach (>=1.2.2 <=3.1.1)

bleach PYPI version =1.2.2, =1.10.0, =0.1.0, =0.0.6, =0.3.0, =0.0.9, =0.3.4, =0.0.5, =0.1.0rc1, =0.1.3, =0.0.1, =0.2.1, =0.4.3 - dbx-deploy =0.6.1 and more Source cves: CVE-2020-6816 Source advisory: OSV:GHSA-M6XF-FQ7Q-8743...

OPENSUSE-SU-2020:0325-1 Security update for python-bleach

This update for python-bleach to version 3.1.1 fixes the following issue: - Python-bleach was updated to 3.1.1 - CVE-2020-6802: Fixed mutation XSS vulnerabilities boo1165303. This update was imported from the openSUSE:Leap:15.1:Update update project...

Cross-Site Scripting (XSS)

bleach is vulnerable to cross-site scripting XSS. Invocation of bleach.clean method with a scripting parameter set to FALSE and a raw tags such as title, textarea, script, style, noembed, noframes, iframe, xmp allows BleachHTMLParser to process user-contributed content using innerHTML property,...

adversarial-labeller (=0.1.8), alo7-airflow (>=1.10.0 <=1.10.0.7) +113 more potentially affected by CVE-2020-6802 via bleach (>=1.2.2 <=3.1.0)

bleach PYPI version =1.2.2, =1.10.0, =0.1.0, =0.0.6, =0.3.0, =0.3.4, =0.0.5, =0.1.3, =0.0.1, =0.2.1, =1.0.2, =0.1.2, =1.0.7 and more Source cves: CVE-2020-6802 Source advisory: OSV:GHSA-Q65M-PV3F-WR5R...

Cross-Site Scripting

Overview All versions of bleach are vulnerable to Cross-Site Scripting. It is possible to bypass the package's HTML sanitization with payloads such as "scriptalert'xss';script" regardless of the passed options. This may allow attackers to execute arbitrary JavaScript in the victim's browser...

alo7-airflow (>=1.10.0 <=1.10.0.7), cateye (>=0.3.4 <=0.3.6) +1 more potentially affected by CVE-2018-7753 via bleach (>=2.1.0 <=2.1.2)

bleach PYPI version =2.1.0, =1.10.0, =0.3.4, =0.3.6 - protobuf-compiler =1.0.20 Source cves: CVE-2018-7753 Source advisory: OSV:GHSA-M9MQ-P2F9-CFQV...

Bleach Design Vulnerability

Bleach is an HTML cleanup library for removing tags and attributes. A security vulnerability exists in version 2.1.x prior to Bleach 2.1.3 that stems from the program failing to properly filter attributes with URI values. An attacker could exploit this vulnerability to obtain sensitive informatio...