Bleach Security Vulnerabilities and Issues — Bleach CVE List

Lucene search

MozillaBleach

5 matches found

CVE•added 2020/03/24 10:15 p.m.•173 views

CVE-2020-6816

In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False.

6.1CVSS5.9AI score0.00366EPSS

CVE•added 2020/03/24 10:15 p.m.•166 views

CVE-2020-6802

In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.

6.1CVSS5.9AI score0.0075EPSS

CVE•added 2018/03/07 11:29 p.m.•131 views

CVE-2018-7753

An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.

9.8CVSS9.1AI score0.00539EPSS

CVE•added 2023/02/16 10:15 p.m.•115 views

CVE-2021-23980

A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed...

6.1CVSS5.7AI score0.00404EPSS

CVE•added 2023/02/16 10:15 p.m.•82 views

CVE-2020-6817

bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).

7.5CVSS6.3AI score0.00167EPSS