CVE-2018-7753

CWE-20Improper Input Validation11 documents8 sources
Severity
9.8CRITICAL
EPSS
0.5%
top 33.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Bleach
Timeline
PublishedMar 7
Latest updateMar 5

Description

An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

PyPIbleach2.1.02.1.3
Debianpython-bleach< 2.1.3-1+3
Ubuntupython-bleach< 1.4.2-1ubuntu0.1~esm1+2
NVDmozilla/bleach2.1, 2.1.1, 2.1.2+2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
python-bleach vulnerabilities2026-03-05
GHSA
Bleach URI Scheme Restriction Bypass2019-01-04
OSV
Bleach URI Scheme Restriction Bypass2019-01-04
OSV
CVE-2018-7753: An issue was discovered in Bleach 22018-03-07
CVEList
CVE-2018-7753: An issue was discovered in Bleach 22018-03-07

💥Exploits & PoCs

1
Exploit-DB
NewMark CMS 2.1 - 'sec_id' SQL Injection2018-06-20

📋Vendor Advisories

2
Ubuntu
Bleach vulnerabilities2026-03-05
Debian
CVE-2018-7753: python-bleach - An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI v...2018

💬Community

2
Bugzilla
CVE-2018-7753 python-bleach: URI Scheme Restriction Bypass with character entities [fedora-26]2018-03-19
Bugzilla
CVE-2018-7753 python-bleach: URI Scheme Restriction Bypass with character entities2018-03-19
CVE-2018-7753 (CRITICAL CVSS 9.8) | An issue was discovered in Bleach 2 | cvebase.io