GHSA-3x58-xr87-2fcj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3x58-xr87-2fcj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-3x58-xr87-2fcj/GHSA-3x58-xr87-2fcj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3x58-xr87-2fcj
- Aliases
- Published
- 2021-05-18T21:07:37Z
- Modified
- 2024-05-20T21:19:56Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Cross-site scripting in bluemonday
- Details
-
bluemonday before 1.0.5 allows XSS because certain Go lowercasing converts an uppercase Cyrillic character, defeating a protection mechanism against the "script" string.
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-79" ], "github_reviewed_at": "2021-05-18T21:05:51Z", "nvd_published_at": null, "severity": "MODERATE" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-29272
- https://github.com/microcosm-cc/bluemonday/issues/111
- https://github.com/microcosm-cc/bluemonday/commit/524f142fe46e945b7dcd291d7805c4b7dcf75bee
- https://github.com/microcosm-cc/bluemonday
- https://github.com/microcosm-cc/bluemonday/releases/tag/v1.0.5
- https://pkg.go.dev/vuln/GO-2022-0762
- https://vuln.ryotak.me/advisories/4
- https://vuln.ryotak.me/advisories/4.txt
Affected packages
Go / github.com/microcosm-cc/bluemonday
Package
- Name
- github.com/microcosm-cc/bluemonday
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/microcosm-cc/bluemonday