Mozilla Bleach
By the Year
In 2023 there have been 2 vulnerabilities in Mozilla Bleach with an average score of 6.8 out of ten. Bleach did not have any published security vulnerabilities last year. That is, 2 more vulnerabilities have already been reported in 2023 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2023 | 2 | 6.80 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 2 | 6.10 |
| 2019 | 0 | 0.00 |
| 2018 | 1 | 9.80 |
It may take a day or so for new Bleach vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Mozilla Bleach Security Vulnerabilities
A mutation XSS affects users calling bleach.clean with all of: svg or math in the
CVE-2021-23980
6.1 - Medium
- February 16, 2023
A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.
XSS
bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS)
CVE-2020-6817
7.5 - High
- February 16, 2023
bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).
ReDoS
In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the
CVE-2020-6802
6.1 - Medium
- March 24, 2020
In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.
XSS
In Mozilla Bleach before 3.12
CVE-2020-6816
6.1 - Medium
- March 24, 2020
In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False.
XSS
An issue was discovered in Bleach 2.1.x before 2.1.3
CVE-2018-7753
9.8 - Critical
- March 07, 2018
An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.
Improper Input Validation
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Mozilla Bleach or by Mozilla? Click the Watch button to subscribe.
