6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
bleach is vulnerable to cross-site scripting (XSS). Invocation of bleach.clean
method with a scripting parameter set to FALSE
and a raw tags (such as title, textarea, script, style, noembed, noframes, iframe, xmp) allows BleachHTMLParser to process user-contributed content using innerHTML property, allowing the browsers to mutate a harmless content to malicious XSS string and execute on rendering of the new DOM element. It affects all three major browsers such as IE, Firefox, and Chrome.
advisory.checkmarx.net/advisory/CX-2020-4276
cure53.de/fp170.pdf
github.com/advisories/GHSA-q65m-pv3f-wr5r
github.com/mozilla/bleach/commit/996cde7a2439a2323f9c4b2567c8b8449d393351
github.com/mozilla/bleach/pull/516
github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r
lists.fedoraproject.org/archives/list/[email protected]/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI/
lists.fedoraproject.org/archives/list/[email protected]/message/OCNLM2MGQTOLCIVVYS2Z5S7KOQJR5JC4/
lists.fedoraproject.org/archives/list/[email protected]/message/YTULPQB7HVPPYWEYVNHJGDTSPVIDHIZX/
www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N