A mutation XSS affects users calling bleach.clean with all of:
- svg or math in the allowed tags
- p or br in allowed tags
- style in allowed tags
- the keyword argument strip_comments=False
Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.
Reducing the impact of the vulnerability on Ansible Automation Platform from Medium to Low as the affected functionality of the Python bleach is not enabled by default.