XSS Vulnerability in Python-lxml's Cleaner Class
CVE-2021-28957

6.1MEDIUM

Key Information:

Vendor

Lxml

Status
Lxml
Vendor
CVE Published:
21 March 2021

What is CVE-2021-28957?

In Python-lxml's clean module, versions prior to 4.6.3, a vulnerability exists that allows for Cross-Site Scripting (XSS) via the Cleaner class. If both the safe_attrs_only and forms parameters are disabled, the formaction attribute is not removed, enabling potential bypass of the HTML sanitizer. A remote attacker could exploit this vulnerability to execute arbitrary JavaScript code on users who interact with the improperly sanitized HTML content. This vulnerability has been addressed in lxml version 4.6.3, emphasizing the importance of updating to secure your applications.

References

https://bugs.launchpad.net/lxml/+bug/1888153
x_refsource_MISC
https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f9...
x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2021/03/msg0...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.