CVE-2020-6816

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Mozilla Bleach versions prior to 3.12

Description A mutation XSS issue affects users calling bleach.clean with specific settings, including whitelisting svg or math tags, allowing RCDATA tags, and setting the strip keyword argument to False. This could potentially allow a remote attacker to impact data integrity.

Recommendations For versions prior to 3.1.2: Upgrade to bleach v3.1.2 or greater. As a temporary workaround, consider modifying bleach.clean calls to use strip=True, or not whitelisting math or svg tags and one or more of the following tags: script, noscript, style, noframes, xmp, noembed, iframe. Implementing a strong Content-Security-Policy without unsafe-inline and unsafe-eval script-srcs will also help mitigate the risk.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BDU:2020-01964

CVE-2020-6816

DSA-4643-1

GHSA-M6XF-FQ7Q-8743

MGASA-2020-0176

OPENSUSE-SU-2021:0552-1

OPENSUSE-SU-2021:0571-1

OPENSUSE-SU-2021_0552-1

OPENSUSE-SU-2024:11219-1

OPENSUSE-SU-2024:14134-1

PYSEC-2020-28

USN-8077-1

Affected Products

Bleach

Linuxmint

Suse

Ubuntu

CVE-2020-6816

Weakness Enumeration

Related Identifiers

Affected Products

References · 47