CVE-2021-23980
A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.
| Software | From | Fixed in |
|---|---|---|
| mozilla / bleach | - | 3.3.0 |
bleach
|
- | 3.3.0 |
- https://bugzilla.mozilla.org/show_bug.cgi?id=1689399
- https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2021-23980
- https://cure53.de/fp170.pdf
- https://github.com/mozilla/bleach/blob/79b7a3c5e56a09d1d323a5006afa59b56162eb13/CHANGES#L4
- https://github.com/mozilla/bleach/commit/79b7a3c5e56a09d1d323a5006afa59b56162eb13
- https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq
- https://pypi.org/project/bleach/
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime