Bleach Mozilla Bleach

stack.watch can notify you when security vulnerabilities are reported in Mozilla Bleach. You can add multiple products that you use with Bleach to create your own personal software stack watcher.

By the Year

In 2020 there have been 2 vulnerabilities in Mozilla Bleach with an average score of 6.1 out of ten. Last year Bleach had 0 security vulnerabilities published. That is, 2 more vulnerabilities have already been reported in 2020 as compared to last year.

Year Vulnerabilities Average Score
2020 2 6.10
2019 0 0.00
2018 1 9.80

It may take a day or so for new Bleach vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest Mozilla Bleach Security Vulnerabilities

In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the

CVE-2020-6802 6.1 - Medium - March 24, 2020

In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.

CVE-2020-6802 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

In Mozilla Bleach before 3.12

CVE-2020-6816 6.1 - Medium - March 24, 2020

In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False.

CVE-2020-6816 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

An issue was discovered in Bleach 2.1.x before 2.1.3

CVE-2018-7753 9.8 - Critical - March 07, 2018

An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.

CVE-2018-7753 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulneraility has a high impact to the confidentiality, integrity and availability of this component.

Improper Input Validation