CVE-2021-42576: Policies not properly enforced in bluemonday
(updated )
The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.
References
- docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50
- github.com/advisories/GHSA-x95h-979x-cf3j
- github.com/microcosm-cc/bluemonday
- github.com/microcosm-cc/bluemonday/commit/c788a2a4d42e081ad54a31368478820bb4a42fb4
- github.com/pypa/advisory-database/tree/main/vulns/pybluemonday/PYSEC-2021-849.yaml
- nvd.nist.gov/vuln/detail/CVE-2021-42576
- pkg.go.dev/vuln/GO-2022-0588
- pypi.org/project/pybluemonday
Detect and mitigate CVE-2021-42576 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →