Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2021-28957

Published: 21 March 2021

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

Priority

Medium

CVSS 3 base score: 6.1

Status

Package Release Status
lxml
Launchpad, Ubuntu, Debian
bionic
Released (4.2.1-1ubuntu0.4)
focal
Released (4.5.0-1ubuntu0.3)
groovy
Released (4.5.2-1ubuntu0.4)
precise Ignored

trusty
Released (3.3.3-1ubuntu0.2+esm3)
upstream
Released (4.6.3-1)
xenial
Released (3.5.0-1ubuntu0.4)
Patches:
upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d