CVE-2020-6802: 
Python vulnerability analysis and mitigation

CVE-2020-6802 is a mutation Cross-Site Scripting (mXSS) vulnerability affecting Mozilla Bleach versions before 3.11. The vulnerability was discovered in early 2020 and affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option (GitHub Advisory, NVD).

The vulnerability occurs due to incoherent parsing between the client and the sanitizer when using the noscript tag along with certain raw tags. The noscript tag is treated differently depending on whether JavaScript is enabled or disabled in the browser. When JavaScript is enabled, the data inside the tag is parsed as JS, but when disabled, it's parsed as HTML. The vulnerability can be triggered when noscript tag is allowed along with HTML comments or specific tags like title, textarea, script, style, noembed, noframes, iframe, or xmp. The CVSS v3.1 base score is 6.1 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD, Checkmarx Blog).

The vulnerability affects over 72,000 repositories dependent on Bleach, including multiple Fortune 500 tech companies. An attacker exploiting this vulnerability could execute arbitrary JavaScript code on the user end through various sites or projects that use Bleach (Checkmarx Blog).

The vulnerability was patched in Bleach version 3.1.1, released on February 19, 2020. Users are advised to upgrade to this version or later. For those unable to upgrade immediately, a workaround involves modifying bleach.clean calls to not whitelist noscript and the associated raw tags. Additionally, implementing a strong Content-Security-Policy without unsafe-inline and unsafe-eval script-srcs can help mitigate the risk (GitHub Advisory, Checkmarx Blog).