CVE-2020-6802 — MEDIUM (6.1)

Q: What is CVE-2020-6802?

CVE-2020-6802 is a vulnerability with a CVSS score of 6.1 (MEDIUM). In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.

Q: How severe is CVE-2020-6802?

CVE-2020-6802 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-6802?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Bleach, Fedoraproject Fedora.

Vulnerability Description

In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Mozilla	Bleach	< 3.1.1
Fedoraproject	Fedora	30

Related Weaknesses (CWE)

CWE-79

References

https://advisory.checkmarx.net/advisory/CX-2020-4276ExploitThird Party Advisory
https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5rThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleachExploitThird Party Advisory
https://advisory.checkmarx.net/advisory/CX-2020-4276ExploitThird Party Advisory
https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5rThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleachExploitThird Party Advisory

FAQ

What is CVE-2020-6802?

CVE-2020-6802 is a vulnerability with a CVSS score of 6.1 (MEDIUM). In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.

How severe is CVE-2020-6802?

CVE-2020-6802 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-6802?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Bleach, Fedoraproject Fedora.