CVE-2018-7753 – bleach

Package

Manager: pip
Name: bleach
Vulnerable Version: >=2.1.0 <2.1.3

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00539 pctl0.66612

Details

Bleach URI Scheme Restriction Bypass An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.

Metadata

Created: 2019-01-04T17:46:30Z
Modified: 2024-09-04T19:41:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-m9mq-p2f9-cfqv/GHSA-m9mq-p2f9-cfqv.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-m9mq-p2f9-cfqv
Finding: F184
Auto approve: 1