| id: GO-2022-0762 |
| modules: |
| - module: github.com/microcosm-cc/bluemonday |
| versions: |
| - fixed: 1.0.5 |
| vulnerable_at: 1.0.4 |
| packages: |
| - package: github.com/microcosm-cc/bluemonday |
| symbols: |
| - Policy.sanitize |
| derived_symbols: |
| - Policy.Sanitize |
| - Policy.SanitizeBytes |
| - Policy.SanitizeReader |
| summary: |- |
| Cross-site scripting due to incorrect sanitization in |
| github.com/microcosm-cc/bluemonday |
| description: |- |
| An XSS injection was possible because the sanitization of the Cyrillic character |
| i bypass a protection mechanism against user-inputted HTML elements such as the |
| <script> tag. |
| published: 2021-05-18T21:07:37Z |
| cves: |
| - CVE-2021-29272 |
| ghsas: |
| - GHSA-3x58-xr87-2fcj |
| references: |
| - fix: https://github.com/microcosm-cc/bluemonday/commit/524f142fe46e945b7dcd291d7805c4b7dcf75bee |
| - web: https://github.com/microcosm-cc/bluemonday/issues/111 |
| - web: https://github.com/microcosm-cc/bluemonday/releases/tag/v1.0.5 |
| review_status: REVIEWED |