CVE-2018-7753

An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 66%
VendorProductVersion
mozillableach
2.1
mozillableach
2.1.1
mozillableach
2.1.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-bleach
bullseye
3.2.1-2.1
fixed
stretch
not-affected
jessie
not-affected
bookworm
5.0.1-2
fixed
sid
6.2.0-1
fixed
trixie
6.2.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-bleach
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
eoan
ignored
disco
ignored
cosmic
ignored
bionic
needs-triage
artful
ignored
xenial
needs-triage
trusty
dne
Common Weakness Enumeration
References
https://bugs.debian.org/892252
https://github.com/mozilla/bleach/commit/c5df5789ec3471a31311f42c2d19fc2cf21b35ef
https://github.com/mozilla/bleach/releases/tag/v2.1.3
https://bugs.debian.org/892252
https://github.com/mozilla/bleach/commit/c5df5789ec3471a31311f42c2d19fc2cf21b35ef
https://github.com/mozilla/bleach/releases/tag/v2.1.3