CVE-2021-23980
Summary
| CVE | CVE-2021-23980 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-02-16 22:15:00 UTC |
| Updated | 2023-02-27 15:19:00 UTC |
| Description | A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True. |
Risk And Classification
Problem Types: CWE-79
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| 1689399 - (CVE-2021-23980) mXSS in Mozilla-bleach with p tag | MISC | bugzilla.mozilla.org | |
| mutation XSS via allowed math or svg, p, and style tags with strip_comments=False · Advisory · mozilla/bleach · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 178537 Debian Security Update for python-bleach (DLA 2620-1)
- 178556 Debian Security Update for python-bleach (DSA 4892-1)
- 179873 Debian Security Update for python-bleach (CVE-2021-23980)
- 502166 Alpine Linux Security Update for py3-bleach
- 750269 OpenSUSE Security Update for python-bleach (openSUSE-SU-2021:0552-1)
- 980644 Python (pip) Security Update for bleach (GHSA-vv2x-vrpj-qqpq)