PT-2020-6808 · Mozilla+3 · Bleach+3

Yaniv Nizry

Published

2020-02-24

Updated

2026-03-05

CVE-2020-6802

CVSS v2.0

6.4

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Mozilla Bleach versions prior to 3.11

Description The issue exists due to inadequate protection of web page structure. Exploitation can allow a remote attacker to conduct a cross-site scripting (XSS) attack. A mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.

Recommendations For versions prior to 3.11, modify bleach.clean calls to not whitelist noscript and one or more of the following raw tags: title, textarea, script, style, noembed, noframes, iframe, xmp. Implement a strong Content-Security-Policy without unsafe-inline and unsafe-eval script-srcs to help mitigate the risk. Update to version 3.1.1 or later to resolve the issue.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BDU:2022-07040

CVE-2020-6802

DSA-4636-1

GHSA-Q65M-PV3F-WR5R

MGASA-2020-0125

OPENSUSE-SU-2020:0308-1

OPENSUSE-SU-2020:0325-1

OPENSUSE-SU-2020_0308-1

OPENSUSE-SU-2024:11219-1

OPENSUSE-SU-2024:11507-1

OPENSUSE-SU-2024:14134-1

PYSEC-2020-27

USN-8077-1

Affected Products

Bleach

Linuxmint

Suse

Ubuntu

PT-2020-6808 · Mozilla+3 · Bleach+3

CVE-2020-6802

Weakness Enumeration

Related Identifiers

Affected Products

References · 51