CVE-2020-6816: Cross-site Scripting
(updated )
In Mozilla Bleach, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are in the allowlist with the keyword argument strip=False.
References
- advisory.checkmarx.net/advisory/CX-2020-4277
- github.com/advisories/GHSA-m6xf-fq7q-8743
- github.com/mozilla/bleach
- github.com/mozilla/bleach/releases/tag/v3.1.2
- github.com/mozilla/bleach/security/advisories/GHSA-m6xf-fq7q-8743
- github.com/pypa/advisory-database/tree/main/vulns/bleach/PYSEC-2020-28.yaml
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EDQU2SZLZMSSACCBUBJ6NOSRNNBDYFW5
- nvd.nist.gov/vuln/detail/CVE-2020-6816
- www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach
Detect and mitigate CVE-2020-6816 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →