Your submission was sent successfully! Close

CVE-2020-27783

Published: 3 December 2020

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

Notes

AuthorNote
sbeattie
according to lxml upstream, first commit does not fix completely, second commit is needed/fixes issue better.
Priority

Medium

CVSS 3 base score: 6.1

Status

Package Release Status
lxml
Launchpad, Ubuntu, Debian
bionic
Released (4.2.1-1ubuntu0.3)
focal
Released (4.5.0-1ubuntu0.2)
groovy
Released (4.5.2-1ubuntu0.3)
precise
Released (2.3.2-1ubuntu0.5)
trusty
Released (3.3.3-1ubuntu0.2+esm2)
upstream
Released (4.6.2-1)
xenial
Released (3.5.0-1ubuntu0.3)
Patches:
upstream: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e
upstream: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7