6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-6802

GHSA ID

GHSA-q65m-pv3f-wr5r

EPSS Score

0.72178%

CWE

CWE-79

Published

2/24/2020

Updated

9/13/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-6802

CVE-2020-6802: XSS in Bleach when noscript and raw tag whitelisted

Impact

A mutation XSS affects users calling bleach.clean with noscript and a raw tag (see below) in the allowed/whitelisted tags option.

Patches

v3.1.1

Workarounds

modify bleach.clean calls to not whitelist noscript and one or more of the following raw tags:

title
textarea
script
style
noembed
noframes
iframe
xmp

A strong Content-Security-Policy without unsafe-inline and unsafe-eval script-srcs) will also help mitigate the risk.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1615315
https://cure53.de/fp170.pdf
https://nvd.nist.gov/vuln/detail/CVE-2020-6802
https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach

Credits

Reported by Yaniv Nizry from the CxSCA AppSec group at Checkmarx

For more information

If you have any questions or comments about this advisory:

Open an issue at https://github.com/mozilla/bleach/issues
Email us at security@mozilla.org

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-6802

GHSA ID

GHSA-q65m-pv3f-wr5r

EPSS Score

0.72178%

CWE

CWE-79

Published

2/24/2020

Updated

9/13/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
bleach	pip	< 3.1.1	3.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Bleach's HTML parser handling <noscript> differently than browsers. The commit diff shows the critical fix was changing 'scripting=False' to 'scripting=True' in BleachHTMLParser._parse to align with browser behavior. This parameter controls whether to parse <noscript> content as HTML (scripting=False) or ignore it as browsers do when JS is enabled (scripting=True). The vulnerable version's 'False' setting created a parsing mismatch that attackers exploited by nesting raw tags inside <noscript>.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * [mut*tion XSS](*ttps://*ur***.**/*p***.p**) *****ts us*rs **llin* `*l****.*l**n` wit* `nos*ript` *n* * r*w t** (s** **low) in t** *llow**/w*it*list** t**s option. ### P*t***s v*.*.* ### Work*roun*s * mo*i*y `*l****.*l**n` **lls to n

Reasoning

T** vuln*r**ility st*ms *rom *l****'s *TML p*rs*r **n*lin* <nos*ript> *i***r*ntly t**n *rows*rs. T** *ommit *i** s*ows t** *riti**l *ix w*s ***n*in* 's*riptin*=**ls*' to 's*riptin*=Tru*' in `*l*****TMLP*rs*r._p*rs*` to *li*n wit* *rows*r ****vior. T*

6.1

Basic Information

Concerned about an active attack path?

CVE-2020-6802: XSS in Bleach when noscript and raw tag whitelisted

Impact

Patches

Workarounds

References

Credits

For more information

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI