Headline
CVE-2020-6816: mutation XSS via whitelisted math or svg and RCDATA tag with strip=False
In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False.
Impact
A mutation XSS affects users calling bleach.clean with all of:
- the svg or math in the allowed/whitelisted tags
- an RCDATA tag (see below) in the allowed/whitelisted tags
- the keyword argument strip=False
Patches
Users are encouraged to upgrade to bleach v3.1.2 or greater.
Workarounds
modify bleach.clean calls to use strip=True, or not whitelist math or svg tags and one or more of the following tags:
script noscript style noframes xmp noembed iframe
- A strong Content-Security-Policy without unsafe-inline and unsafe-eval script-srcs) will also help mitigate the risk.
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1621692
- https://cure53.de/fp170.pdf
- https://nvd.nist.gov/vuln/detail/CVE-2020-6816
- https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach
Credits
- Reported by Yaniv Nizry from the CxSCA AppSec group at Checkmarx
For more information
If you have any questions or comments about this advisory:
- Open an issue at https://github.com/mozilla/bleach/issues
- Email us at [email protected]