CVE-2021-42576
Cross-site scripting via leaked style elements in github.com/microcosm-cc/bluemonday
9.8
CRITICAL
CVSS 3.1
EPSS 0.32%
Description
The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.
How to fix CVE-2021-42576
To remediate CVE-2021-42576, upgrade the affected package to a fixed version below.
- Debian/golang-github-microcosm-cc-bluemonday—no fix listed
- —upgrade to 1.0.16 or later
- —upgrade to 1.0.16 or later
- —upgrade to 0.0.8 or later
- —upgrade to 0.0.8 or later
Is CVE-2021-42576 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (5)
- from 0
- from 0, < 1.0.16
- from 0, < 1.0.16
- from 0, < 0.0.8
- from 0, < 0.0.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |