CVE-2021-42576
HTML sanitizer vulnerability in pybluemonday (PyPI)
What is CVE-2021-42576 About?
The bluemonday HTML sanitizer can leak 'style' element content in certain user-defined policies, leading to potential Cross-Site Scripting (XSS) vulnerabilities. This occurs when policies allow 'select', 'style', and 'option' elements without specific CSS sanitization. Exploitation requires an attacker to control the input to the sanitizer and for the application to use a vulnerable custom policy.
Affected Software
- pybluemonday
- <0.0.8
- github.com/microcosm-cc/bluemonday
- <1.0.16
Technical Details
The bluemonday HTML sanitizer is susceptible to a vulnerability where the content of 'style' elements can be leaked into the HTML output. This occurs specifically when user-defined sanitization policies explicitly permit the 'select', 'style', and 'option' elements, but the sanitizer lacks a dedicated CSS sanitizer. The mechanism of the exploit involves an attacker injecting malicious CSS or script within a 'style' element in the input HTML. Since bluemonday does not sanitize the CSS within 'style' tags in these specific policy configurations, the malicious content passes through the sanitizer and is rendered by the browser, potentially leading to XSS. Newer versions mitigate this by suppressing 'style' and 'script' elements unless unsafe processing is explicitly requested, even if allowed by policy.
What is the Impact of CVE-2021-42576?
Successful exploitation may allow attackers to inject malicious scripts into web pages, steal user credentials, deface websites, or hijack user sessions.
What is the Exploitability of CVE-2021-42576?
Exploitation complexity is moderate, requiring an attacker to be able to provide arbitrary HTML input to an application that utilizes the bluemonday sanitizer with a vulnerable, user-defined policy. There are no explicit authentication or privilege requirements, meaning an unauthenticated attacker could potentially exploit this if they can submit HTML content. Remote exploitation is highly probable, as it involves web-based input. Special conditions include the application using a bluemonday version prior to the fix and employing a custom policy that allows 'select', 'style', and 'option' elements without additional CSS sanitization. The risk factor increases significantly if user-supplied content is aggressively filtered by such a policy and then rendered on a client-side without further controls.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-42576?
About the Fix from Resolved Security
Available Upgrade Options
- github.com/microcosm-cc/bluemonday
- <1.0.16 → Upgrade to 1.0.16
- pybluemonday
- <0.0.8 → Upgrade to 0.0.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pypa/advisory-database/tree/main/vulns/pybluemonday/PYSEC-2021-849.yaml
- https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/
- https://github.com/microcosm-cc/bluemonday
- https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/
- https://nvd.nist.gov/vuln/detail/CVE-2021-42576
- https://pkg.go.dev/vuln/GO-2022-0588
- https://osv.dev/vulnerability/GHSA-x95h-979x-cf3j
- https://github.com/microcosm-cc/bluemonday/commit/c788a2a4d42e081ad54a31368478820bb4a42fb4
- https://github.com/advisories/GHSA-x95h-979x-cf3j
- https://pypi.org/project/pybluemonday
What are Similar Vulnerabilities to CVE-2021-42576?
Similar Vulnerabilities: CVE-2020-7672 , CVE-2021-3807 , CVE-2023-34661 , CVE-2023-34666 , CVE-2023-34667
