PyPI package
bleach
pkg:pypi/bleach
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-23980 | — | < 3.3.0 | 3.3.0 | Feb 16, 2023 | A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in | ||
| CVE-2020-6817 | — | < 3.1.4 | 3.1.4 | Feb 16, 2023 | bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}). | ||
| CVE-2020-6816 | — | < 3.1.2 | 3.1.2 | Mar 24, 2020 | In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False. | ||
| CVE-2020-6802 | — | < 3.1.1 | 3.1.1 | Mar 24, 2020 | In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option. | ||
| CVE-2018-7753 | — | >= 2.1.0, < 2.1.3 | 2.1.3 | Mar 7, 2018 | An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide thro |
- CVE-2021-23980Feb 16, 2023affected < 3.3.0fixed 3.3.0
A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in
- CVE-2020-6817Feb 16, 2023affected < 3.1.4fixed 3.1.4
bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).
- CVE-2020-6816Mar 24, 2020affected < 3.1.2fixed 3.1.2
In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False.
- CVE-2020-6802Mar 24, 2020affected < 3.1.1fixed 3.1.1
In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.
- CVE-2018-7753Mar 7, 2018affected >= 2.1.0, < 2.1.3fixed 2.1.3
An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide thro