CVE-2021-28957

Published: 21 March 2021

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

Priority

Medium

CVSS 3 base score: 6.1

Status

Package Release Status
lxml
Launchpad, Ubuntu, Debian
Upstream
Released (4.6.3-1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (4.5.0-1ubuntu0.3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.2.1-1ubuntu0.4)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (3.5.0-1ubuntu0.4)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (3.3.3-1ubuntu0.2+esm3)
Patches:
Upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d