Detections
Analytics

FreeBSD : www/py-bleach -- multiple vulnerabilities (3d19c776-68e7-11ea-91db-0050562a4d7b)

high Nessus Plugin ID 134686

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

* ``bleach.clean`` behavior parsing embedded MathML and SVG content with RCDATA tags did not match browser behavior and could result in a mutation XSS.

Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or ``svg`` tags and one or more of the RCDATA tags ``script``, ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or ``xmp`` in the allowed tags whitelist were vulnerable to a mutation XSS.

* ``bleach.clean`` behavior parsing ``noscript`` tags did not match browser behavior.

Calls to ``bleach.clean`` allowing ``noscript`` and one or more of the raw text tags (``title``, ``textarea``, ``script``, ``style``, ``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable to a mutation XSS.

Solution

Update the affected packages.

See Also

https://bugzilla.mozilla.org/show_bug.cgi?id=1615315

https://bugzilla.mozilla.org/show_bug.cgi?id=1621692

http://www.nessus.org/u?bcb3e506

Plugin Details

Severity: High

ID: 134686

File Name: freebsd_pkg_3d19c77668e711ea91db0050562a4d7b.nasl

Version: 1.1

Type: local

Published: 3/19/2020

Updated: 3/19/2020

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:py27-bleach, p-cpe:/a:freebsd:freebsd:py35-bleach, p-cpe:/a:freebsd:freebsd:py36-bleach, p-cpe:/a:freebsd:freebsd:py37-bleach, p-cpe:/a:freebsd:freebsd:py38-bleach, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 3/18/2020

Vulnerability Publication Date: 2/13/2020