6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-6816

GHSA ID

GHSA-m6xf-fq7q-8743

EPSS Score

0.5788%

CWE

CWE-79

Published

3/24/2020

Updated

9/12/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-6816

CVE-2020-6816: Bleach vulnerable to mutation XSS via whitelisted math or svg and raw tag

Impact

A mutation XSS affects users calling bleach.clean with all of:

the svg or math in the allowed/whitelisted tags
an RCDATA tag (see below) in the allowed/whitelisted tags
the keyword argument strip=False

Patches

Users are encouraged to upgrade to bleach v3.1.2 or greater.

Workarounds

modify bleach.clean calls to use strip=True, or not whitelist math or svg tags and one or more of the following tags:

script
noscript
style
noframes
xmp
noembed
iframe

A strong Content-Security-Policy without unsafe-inline and unsafe-eval script-srcs) will also help mitigate the risk.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1621692
https://cure53.de/fp170.pdf
https://nvd.nist.gov/vuln/detail/CVE-2020-6816
https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach

Credits

Reported by Yaniv Nizry from the CxSCA AppSec group at Checkmarx

For more information

If you have any questions or comments about this advisory:

Open an issue at https://github.com/mozilla/bleach/issues
Email us at security@mozilla.org

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-6816

GHSA ID

GHSA-m6xf-fq7q-8743

EPSS Score

0.5788%

CWE

CWE-79

Published

3/24/2020

Updated

9/12/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
bleach	pip	< 3.1.2	3.1.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability documentation explicitly references bleach.clean as the entry point with specific parameter combinations (whitelisted tags + strip=False). The core issue stems from how Bleach's sanitizer processes content in SVG/math XML namespaces when RCDATA tags are allowed, failing to account for browser parsing differences. The function's handling of these edge cases in the HTML sanitization process is directly addressed in the v3.1.2 patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * [mut*tion XSS](*ttps://*ur***.**/*p***.p**) *****ts us*rs **llin* `*l****.*l**n` wit* *ll o*: * t** `sv*` or `m*t*` in t** *llow**/w*it*list** t**s * *n R***T* t** (s** **low) in t** *llow**/w*it*list** t**s * t** k*ywor* *r*um*nt `str

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly r***r*n**s `*l****.*l**n` *s t** *ntry point wit* sp**i*i* p*r*m*t*r *om*in*tions (w*it*list** t**s + strip=**ls*). T** *or* issu* st*ms *rom *ow *l****'s s*nitiz*r pro**ss*s *ont*nt in SV*/m*t* XML n*m*sp**

6.1

Basic Information

Concerned about an active attack path?

CVE-2020-6816: Bleach vulnerable to mutation XSS via whitelisted math or svg and raw tag

Impact

Patches

Workarounds

References

Credits

For more information

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI