CVE-2020-6802
Aliases:GHSA-q65m-pv3f-wr5rPYSEC-2020-27
Advisory lineage Upstream: 0 Downstream: 9
Modified
Published: 24 Mar 2020, 21:13
Last modified:04 Aug 2024, 09:11
Vulnerability Summary
Overall Risk (default)
medium
34/100 CVSS Score
6.1 MEDIUM
v3.1 (nvd)
EPSS Score
0.27% LOW
0% probability -0.11%
KEV
Not listed
Ransomware
No reports
Public exploits
2 found
Dark Web
Not detected
Timeline
24 Mar 2020, 21:13
Published
Vulnerability first disclosed
04 Aug 2024, 09:11
Last Modified
Vulnerability information updated
Description
In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.
CVSS Metrics
- v4.0•MEDIUM•Score: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
- v3.1•MEDIUM•Score: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- v2.0•MEDIUM•Score: 4.3AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS Trends
Current EPSS score: 0.27%• Percentile: 50%
Techniques & Countermeasures
- CWE-79•Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Affected Systems
- fedoraproject•fedora
30 | 31 | 32
- mozilla•bleach
< 3.1.1
- PyPI•bleach
< 3.1.1
References (18)
- https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCNLM2MGQTOLCIVVYS2Z5S7KOQJR5JC4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTULPQB7HVPPYWEYVNHJGDTSPVIDHIZX/
- https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach
- https://advisory.checkmarx.net/advisory/CX-2020-4276
- https://nvd.nist.gov/vuln/detail/CVE-2020-6802
- https://github.com/mozilla/bleach/commit/f77e0f6392177a06e46a49abd61a4d9f035e57fd
- https://bugzilla.mozilla.org/show_bug.cgi?id=1615315
- https://cure53.de/fp170.pdf
- https://github.com/mozilla/bleach
- https://github.com/pypa/advisory-database/tree/main/vulns/bleach/PYSEC-2020-27.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCNLM2MGQTOLCIVVYS2Z5S7KOQJR5JC4
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTULPQB7HVPPYWEYVNHJGDTSPVIDHIZX
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCNLM2MGQTOLCIVVYS2Z5S7KOQJR5JC4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTULPQB7HVPPYWEYVNHJGDTSPVIDHIZX/