Skip to main content

Bluemonday

2 CVEs product

Monthly

CVE-2021-42576 LIB CRITICAL POC PATCH Act Now

The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Bluemonday Pybluemonday
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2021-29272 Go MEDIUM PATCH This Month

bluemonday before 1.0.5 allows XSS because certain Go lowercasing converts an uppercase Cyrillic character, defeating a protection mechanism against the "script" string. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Bluemonday
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Bluemonday +1
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

bluemonday before 1.0.5 allows XSS because certain Go lowercasing converts an uppercase Cyrillic character, defeating a protection mechanism against the "script" string. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Bluemonday
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy