HTML Cleaner allows crafted and SVG embedded scripts to pass through
CVE-2021-43818

8.2HIGH

Key Information:

Vendor: Lxml
Status: Lxml
Vendor: CVE Published:; 13 December 2021

What is CVE-2021-43818?

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.

Affected Version(s)

lxml < 4.6.5

References

https://github.com/lxml/lxml/security/advisories/GHSA-55x...

x_refsource_CONFIRM

https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d...

x_refsource_MISC

https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec...

x_refsource_MISC

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 13, 2021
Vulnerability Reserved
Nov 16, 2021

CVE-2021-43818 Data

JSON