Опубликовано: 19 окт. 2021
Источник: github
Github: Прошло ревью
CVSS4: 8.1
CVSS3: 9.8
Описание
Policies not properly enforced in bluemonday
The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2021-42576
- https://github.com/microcosm-cc/bluemonday/commit/c788a2a4d42e081ad54a31368478820bb4a42fb4
- https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50
- https://github.com/advisories/GHSA-x95h-979x-cf3j
- https://github.com/pypa/advisory-database/tree/main/vulns/pybluemonday/PYSEC-2021-849.yaml
- https://pkg.go.dev/vuln/GO-2022-0588
- https://pypi.org/project/pybluemonday
Пакеты
Наименование
pybluemonday
pip
Затронутые версииВерсия исправления
< 0.0.8
0.0.8
Наименование
github.com/microcosm-cc/bluemonday
go
Затронутые версииВерсия исправления
< 1.0.16
1.0.16
Связанные уязвимости
CVSS3: 9.8
ubuntu
больше 4 лет назад
The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.
CVSS3: 9.8
nvd
больше 4 лет назад
The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.
CVSS3: 9.8
debian
больше 4 лет назад
The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Py ...