VDB
CVE-2021-23980
CVE-2021-23980
PUBLISHED
A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.
EPSS 0.49% · 66.1th percentile
Risk Scores
EPSS Score
0.49%
66.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:25.10 | python-bleach | 0, 6.2.0-1 |
| Ubuntu:22.04:LTS | python-bleach | 3.2.1-2.1, 4.1.0-1, 0 |
| Ubuntu:20.04:LTS | python-bleach | 3.1.1-1, 0, 3.1.0-1 |
| Ubuntu:18.04:LTS | python-bleach | 0, 2.0-1, 2.1.2-1 |
| Ubuntu:24.04:LTS | python-bleach | 6.1.0-1, 0, 6.0.0-2 |
| Ubuntu:16.04:LTS | python-bleach | 1.4-1, 1.4.2-1, 0 |
Exploit Intelligence
Timeline
- Feb 2, 2021 CVE Published
- Sep 28, 2021 CVE Updated
- Feb 17, 2023 EPSS Score
- Feb 17, 2023 PoC Published
- Mar 7, 2023 EPSS Score
- Mar 29, 2023 EPSS Score
- May 7, 2023 EPSS Score
- Jun 16, 2023 EPSS Score
- Jul 25, 2023 EPSS Score
- Sep 3, 2023 EPSS Score
- Oct 13, 2023 EPSS Score
- Nov 21, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-23980 third-party-advisory
- https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq third-party-advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=1689399 third-party-advisory
- https://github.com/mozilla/bleach/commit/79b7a3c5e56a09d1d323a5006afa59b56162eb13 third-party-advisory
- https://github.com/mozilla/bleach/commit/d398c89e54ced6b1039d3677689707456ba42dec third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-23980 third-party-advisory