CVE-2021-43818

CWE-74CWE-79Cross-site Scripting (XSS)9 documents8 sources
Severity
7.1HIGH
EPSS
4.1%
top 11.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
Lxml LxmlDebian Debian LinuxFedoraproject Fedora+5 more
Timeline
PublishedDec 13
Latest updateJan 12

Description

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:NExploitability: 2.8 | Impact: 4.7

Affected Packages9 packages

PyPIlxml< 4.6.5
CVEListV5lxml/lxml< 4.6.5
NVDlxml/lxml< 4.6.5
Debianlxml< 4.6.3+dfsg-0.1+deb11u1+3
NVDoracle/http_server12.2.1.3.0, 12.2.1.4.0+1

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 34, 35

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
CVEList
HTML Cleaner allows crafted and SVG embedded scripts to pass through2021-12-13
OSV
CVE-2021-43818: lxml is a library for processing XML and HTML in the Python language2021-12-13
GHSA
lxml's HTML Cleaner allows crafted and SVG embedded scripts to pass through2021-12-13
OSV
lxml's HTML Cleaner allows crafted and SVG embedded scripts to pass through2021-12-13

📋Vendor Advisories

4
Ubuntu
lxml vulnerability2022-01-12
Microsoft
HTML Cleaner allows crafted and SVG embedded scripts to pass through2021-12-14
Red Hat
python-lxml: HTML Cleaner allows crafted and SVG embedded scripts to pass through2021-12-12
Debian
CVE-2021-43818: lxml - lxml is a library for processing XML and HTML in the Python language. Prior to v...2021
CVE-2021-43818 (HIGH CVSS 7.1) | lxml is a library for processing XM | cvebase.io