CVE-2021-28957
Published: 21 March 2021
An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
Priority
Status
Package | Release | Status |
---|---|---|
lxml Launchpad, Ubuntu, Debian |
upstream |
Released
(4.6.3-1)
|
bionic |
Released
(4.2.1-1ubuntu0.4)
|
|
focal |
Released
(4.5.0-1ubuntu0.3)
|
|
groovy |
Released
(4.5.2-1ubuntu0.4)
|
|
xenial |
Released
(3.5.0-1ubuntu0.4)
|
|
trusty |
Released
(3.3.3-1ubuntu0.2+esm3)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
Patches: upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.1 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957
- https://bugs.launchpad.net/lxml/+bug/1888153
- https://github.com/lxml/lxml/pull/316
- https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270
- https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html
- https://ubuntu.com/security/notices/USN-4896-1
- https://ubuntu.com/security/notices/USN-4896-2
- NVD
- Launchpad
- Debian