Miggo Logo

CVE-2020-6802: XSS in Bleach when noscript and raw tag whitelisted

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.72178%
Published
2/24/2020
Updated
9/13/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
bleachpip< 3.1.13.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Bleach's HTML parser handling <noscript> differently than browsers. The commit diff shows the critical fix was changing 'scripting=False' to 'scripting=True' in BleachHTMLParser._parse to align with browser behavior. This parameter controls whether to parse <noscript> content as HTML (scripting=False) or ignore it as browsers do when JS is enabled (scripting=True). The vulnerable version's 'False' setting created a parsing mismatch that attackers exploited by nesting raw tags inside <noscript>.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * [mut*tion XSS](*ttps://*ur***.**/*p***.p**) *****ts us*rs **llin* `*l****.*l**n` wit* `nos*ript` *n* * r*w t** (s** **low) in t** *llow**/w*it*list** t**s option. ### P*t***s v*.*.* ### Work*roun*s * mo*i*y `*l****.*l**n` **lls to n

Reasoning

T** vuln*r**ility st*ms *rom *l****'s *TML p*rs*r **n*lin* <nos*ript> *i***r*ntly t**n *rows*rs. T** *ommit *i** s*ows t** *riti**l *ix w*s ***n*in* 's*riptin*=**ls*' to 's*riptin*=Tru*' in `*l*****TMLP*rs*r._p*rs*` to *li*n wit* *rows*r ****vior. T*