Mutation XSS Vulnerability in Mozilla Bleach Prior to 3.12
CVE-2020-6816

6.1MEDIUM

Key Information:

Vendor
Mozilla
Status
Mozilla Bleach
Vendor
CVE Published:
24 March 2020

Summary

A mutation Cross-Site Scripting (XSS) vulnerability exists in Mozilla Bleach versions prior to 3.12. This flaw arises when RCDATA and either SVG or MathML tags are whitelisted, while the 'strip' argument is set to false in the bleach.clean functionality. This vulnerability can potentially allow malicious scripts to be injected into web applications, making it crucial for developers using this library to update to the latest version.

Affected Version(s)

Mozilla Bleach <=3.11

References

https://github.com/mozilla/bleach/security/advisories/GHS...
x_refsource_MISC
https://www.checkmarx.com/blog/vulnerabilities-discovered...
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.