Microco: >> Bluemonday Security Vulnerabilities
The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-10-18
bluemonday before 1.0.5 allows XSS because certain Go lowercasing converts an uppercase Cyrillic character, defeating a protection mechanism against the "script" string.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-03-27