CVE-2020-6816: 
Python vulnerability analysis and mitigation

CVE-2020-6816 is a mutation XSS vulnerability discovered in Mozilla Bleach versions before 3.1.2. The vulnerability was discovered in early 2020 and publicly disclosed on March 17, 2020. The issue affects the bleach.clean function when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False is used (GitHub Advisory, NVD).

The vulnerability occurs due to incoherent parsing between the client and the sanitizer when using svg/math tags. The parsing inside these tags behaves like XML, causing different interpretation of nested tags like style. When certain tags are placed inside svg/math->style->img pattern, Bleach fails to properly sanitize unwanted tags when the 'strip' parameter is set to false. The vulnerability has a CVSS v3.1 base score of 6.1 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (Checkmarx Blog, NVD).

The vulnerability could allow an attacker to execute arbitrary JavaScript code on the user end through sites or projects that use Bleach. According to GitHub, more than 72,000 repositories were dependent on Bleach at the time of discovery, including multiple Fortune 500 tech companies (Checkmarx Blog).

Users are recommended to upgrade to Bleach version 3.1.2 or greater. Alternative workarounds include modifying bleach.clean calls to use strip=True, or not whitelisting math or svg tags. Additionally, implementing a strong Content-Security-Policy without unsafe-inline and unsafe-eval script-srcs can help mitigate the risk (GitHub Advisory).

The vulnerability was responsibly disclosed to Mozilla by the Checkmarx Security Research Team. Mozilla responded quickly by opening a Bugzilla ticket and working on a proper mitigation approach. The fixed version was released promptly, and Checkmarx customers using CxSCA were automatically notified to update Mozilla-Bleach (Checkmarx Blog).