Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-7753

An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.

Published

2018-03-07T23:29:00.273

Last Modified

2024-11-21T04:12:40.100

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-20

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	mozilla	bleach	2.1	Yes
Application	mozilla	bleach	2.1.1	Yes
Application	mozilla	bleach	2.1.2	Yes

References

https://bugs.debian.org/892252 Third Party Advisory ([email protected])
https://github.com/mozilla/bleach/commit/c5df5789ec3471a31311f42c2d19fc2cf21b35ef Patch, Third Party Advisory ([email protected])
https://github.com/mozilla/bleach/releases/tag/v2.1.3 Third Party Advisory ([email protected])
https://bugs.debian.org/892252 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/mozilla/bleach/commit/c5df5789ec3471a31311f42c2d19fc2cf21b35ef Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/mozilla/bleach/releases/tag/v2.1.3 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)