CVE-2021-42576 – github.com/microcosm-cc/bluemonday

Package

Manager: go
Name: github.com/microcosm-cc/bluemonday
Vulnerable Version: >=0 <1.0.16

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

EPSS: 0.00447 pctl0.6264

Details

Policies not properly enforced in bluemonday The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.

Metadata

Created: 2021-10-19T20:15:30Z
Modified: 2024-10-21T20:18:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-x95h-979x-cf3j/GHSA-x95h-979x-cf3j.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-x95h-979x-cf3j
Finding: F184
Auto approve: 1