CVE-2020-27783

Published: 03 December 2020

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

Priority

Medium

CVSS 3 base score: 6.1

Status

Package Release Status
lxml
Launchpad, Ubuntu, Debian
Upstream
Released (4.6.2-1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (4.5.0-1ubuntu0.2)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.2.1-1ubuntu0.3)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (3.5.0-1ubuntu0.3)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (3.3.3-1ubuntu0.2+esm2)
Patches:
Upstream: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e
Upstream: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7