PT-2021-3336 · Bleach+4 · Bleach+4

Michał Bentkowski

Published

2021-02-02

Updated

2026-03-05

CVE-2021-23980

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Name of the Vulnerable Software and Affected Versions Bleach versions prior to 3.3.0

Description A mutation XSS affects users calling bleach.clean with specific allowed tags and the keyword argument strip comments=False. This issue may allow a remote attacker to impact the confidentiality and integrity of protected information. The affected tags include svg, math, p, br, style, title, noscript, script, textarea, noframes, iframe, or xmp. Note that none of these tags are in the default allowed tags and strip comments defaults to True.

Recommendations To resolve the issue, users are encouraged to upgrade to Bleach version 3.3.0 or greater. As a temporary workaround, modify bleach.clean calls to at least one of:

not allow the style, title, noscript, script, textarea, noframes, iframe, or xmp tag
not allow svg or math tags
not allow p or br tags
set strip comments=True Additionally, a strong Content-Security-Policy without unsafe-inline and unsafe-eval script-srcs will also help mitigate the risk.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BDU:2021-03144

CVE-2021-23980

DLA-2620-1

DSA-4892-1

GHSA-VV2X-VRPJ-QQPQ

MGASA-2021-0260

OESA-2022-1861

OPENSUSE-SU-2021:0552-1

OPENSUSE-SU-2021:0571-1

OPENSUSE-SU-2021_0552-1

OPENSUSE-SU-2024:11219-1

OPENSUSE-SU-2024:14134-1

PYSEC-2021-865

RHSA-2021:0781

USN-8077-1

Affected Products

Astra Linux

Bleach

Linuxmint

Suse

Ubuntu

PT-2021-3336 · Bleach+4 · Bleach+4

CVE-2021-23980

Weakness Enumeration

Related Identifiers

Affected Products

References · 55