Vulnerability Details : CVE-2018-7753
An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.
Vulnerability category: Input validation
Products affected by CVE-2018-7753
- cpe:2.3:a:mozilla:bleach:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:bleach:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:bleach:2.1.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-7753
0.32%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-7753
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2018-7753
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-7753
-
https://github.com/mozilla/bleach/commit/c5df5789ec3471a31311f42c2d19fc2cf21b35ef
Merge pull request #356 from willkg/fix-entities · mozilla/bleach@c5df578 · GitHubPatch;Third Party Advisory
-
https://bugs.debian.org/892252
#892252 - python-bleach: CVE-2018-7753: URI values with character entities not properly sanitized - Debian Bug report logsThird Party Advisory
-
https://github.com/mozilla/bleach/releases/tag/v2.1.3
Release v2.1.3: Version 2.1.3 (March 5th, 2018) · mozilla/bleach · GitHubThird Party Advisory
Jump to