CVE-2018-7753
CRITICALBleach 2.1.0-2.1.2 - Improper Input Validation via Character Entity Bypass
Title source: llmDescription
An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://github.com/mozilla/bleach/releases/tag/v2.1.3
Patch, Third Party Advisory x_refsource_misc
https://github.com/mozilla/bleach/commit/c5df5789ec3471a31311f42c2d19fc2cf21b35ef
Third Party Advisory x_refsource_misc
https://bugs.debian.org/892252
Scores
CVSS v3
9.8
EPSS
0.0051
EPSS Percentile
66.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-20
Status
published
Products (4)
mozilla/bleach
2.1
mozilla/bleach
2.1.1
mozilla/bleach
2.1.2
pypi/bleach
2.1.0 - 2.1.3PyPI
Published
Mar 07, 2018
Tracked Since
Feb 18, 2026