CVE-2021-23980 — Vulnetix

Try Vulnetix Request Demo

CVE-2021-23980 PUBLISHED

A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.

EPSS 0.47% · 64.3th percentile

Risk Scores

EPSS Score

0.47%

64.3th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:25.10	python-bleach	6.2.0-1, 0
Ubuntu:22.04:LTS	python-bleach	0, 4.1.0-1, 3.2.1-2.1
Ubuntu:20.04:LTS	python-bleach	3.1.1-1, 0, 3.1.0-1
Ubuntu:18.04:LTS	python-bleach	0, 2.1.2-1, 2.0-1
Ubuntu:24.04:LTS	python-bleach	6.1.0-2, 0, 6.0.0-2
Ubuntu:16.04:LTS	python-bleach	1.4-1, 1.4.2-1, 0

Timeline

Feb 2, 2021 CVE Published
Sep 28, 2021 CVE Updated
Feb 17, 2023 EPSS Score
Feb 17, 2023 PoC Published
Mar 7, 2023 EPSS Score
Mar 28, 2023 EPSS Score
May 6, 2023 EPSS Score
Jun 14, 2023 EPSS Score
Jul 23, 2023 EPSS Score
Aug 31, 2023 EPSS Score
Oct 9, 2023 EPSS Score
Nov 17, 2023 EPSS Score

References

https://ubuntu.com/security/CVE-2021-23980 third-party-advisory
https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq third-party-advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1689399 third-party-advisory
https://github.com/mozilla/bleach/commit/79b7a3c5e56a09d1d323a5006afa59b56162eb13 third-party-advisory
https://github.com/mozilla/bleach/commit/d398c89e54ced6b1039d3677689707456ba42dec third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2021-23980 third-party-advisory

Open in Interactive Console →