CVE-2020-6816

Name

CVE-2020-6816

Description

In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

References

Type	URI
Third Party Advisory	https://github.com/mozilla/bleach/security/advisories/GHSA-m6xf-fq7q-8743
Exploit	https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EDQU2SZLZMSSACCBUBJ6NOSRNNBDYFW5/
MISC	https://advisory.checkmarx.net/advisory/CX-2020-4277

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:mozilla:bleach::::::::`	bleach	>= None	< 3.1.2

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
py3-bleach	edge-community	3.1.2-r0	None	fixed
py3-bleach	3.22-community	3.1.2-r0	None	fixed
py3-bleach	3.21-community	3.1.2-r0	None	fixed
py3-bleach	3.20-community	3.1.2-r0	None	fixed
py3-bleach	3.19-community	3.1.2-r0	None	fixed
py3-bleach	3.18-community	3.1.2-r0	None	fixed
py3-bleach	3.17-community	3.1.2-r0	None	fixed