CVE-2021-28957
Published: 21 March 2021
An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
Priority
CVSS 3 base score: 6.1
Status
Package | Release | Status |
---|---|---|
lxml Launchpad, Ubuntu, Debian |
bionic |
Released
(4.2.1-1ubuntu0.4)
|
focal |
Released
(4.5.0-1ubuntu0.3)
|
|
groovy |
Released
(4.5.2-1ubuntu0.4)
|
|
precise |
Ignored
|
|
trusty |
Released
(3.3.3-1ubuntu0.2+esm3)
|
|
upstream |
Released
(4.6.3-1)
|
|
xenial |
Released
(3.5.0-1ubuntu0.4)
|
|
Patches: upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957
- https://bugs.launchpad.net/lxml/+bug/1888153
- https://github.com/lxml/lxml/pull/316
- https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270
- https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html
- https://ubuntu.com/security/notices/USN-4896-1
- https://ubuntu.com/security/notices/USN-4896-2
- NVD
- Launchpad
- Debian