An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.
References
Link | Resource |
---|---|
https://github.com/mozilla/bleach/releases/tag/v2.1.3 | Third Party Advisory |
https://github.com/mozilla/bleach/commit/c5df5789ec3471a31311f42c2d19fc2cf21b35ef | Patch Third Party Advisory |
https://bugs.debian.org/892252 | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Information
Published : 2018-03-07 15:29
Updated : 2018-03-29 06:50
NVD link : CVE-2018-7753
Mitre link : CVE-2018-7753
JSON object : View
CWE
CWE-20
Improper Input Validation
Products Affected
mozilla
- bleach