CVE-2021-23980

NameCVE-2021-23980
Descriptionmutation XSS via allowed math or svg; p or br; and style, title, noscript, script, textarea, noframes, iframe, or xmp tags with strip_comments=False
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2620-1, DSA-4892-1
Debian Bugs986251

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-bleach (PTS)stretch2.0-1vulnerable
stretch (security)2.0-1+deb9u1fixed
buster3.1.2-0+deb10u1vulnerable
buster (security)3.1.2-0+deb10u2fixed
bullseye, sid3.2.1-2.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-bleachsourcestretch2.0-1+deb9u1DLA-2620-1
python-bleachsourcebuster3.1.2-0+deb10u2DSA-4892-1
python-bleachsource(unstable)3.2.1-2.1986251

Notes

https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq
https://bugzilla.mozilla.org/show_bug.cgi?id=1689399
https://github.com/mozilla/bleach/commit/1334134d34397966a7f7cfebd38639e9ba2c680e
https://github.com/mozilla/bleach/commit/d398c89e54ced6b1039d3677689707456ba42dec

Search for package or bug name: Reporting problems