CVE-2018-7753
Bleach URI Scheme Restriction Bypass
9.8
CRITICAL
CVSS 3.1
EPSS 0.51%
Description
An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.
How to fix CVE-2018-7753
To remediate CVE-2018-7753, upgrade the affected package to a fixed version below.
- —upgrade to 2.1.3-1 or later
- —upgrade to 2.1.3 or later
- —upgrade to c5df5789ec3471a31311f42c2d19fc2cf21b35ef or later
Is CVE-2018-7753 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2.1.3-1
- >= 2.1.0, < 2.1.3
- from 0, < c5df5789ec3471a31311f42c2d19fc2cf21b35ef | >= 2.1, < 2.1.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |