pysec-2021-19
Vulnerability from pysec
Published
2021-03-21 05:15
Modified
2021-03-30 18:47
Details
An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "lxml",
"purl": "pkg:pypi/lxml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "a5f9cb52079dc57477c460dbe6ba0f775e14a999"
}
],
"repo": "https://github.com/lxml/lxml",
"type": "GIT"
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.9",
"0.9.1",
"0.9.2",
"1.0.beta",
"1.0",
"1.0.1",
"1.0.2",
"1.0.3",
"1.0.4",
"1.1alpha",
"1.1beta",
"1.1",
"1.1.1",
"1.1.2",
"1.2",
"1.2.1",
"1.3beta",
"1.3",
"1.3.1",
"1.3.2",
"1.3.3",
"1.3.4",
"1.3.5",
"1.3.6",
"2.0alpha1",
"2.0alpha2",
"2.0alpha3",
"2.0alpha4",
"2.0alpha5",
"2.0alpha6",
"2.0beta1",
"2.0beta2",
"2.0",
"2.0.1",
"2.0.2",
"2.0.3",
"2.0.4",
"2.0.5",
"2.0.6",
"2.0.7",
"2.0.8",
"2.0.9",
"2.0.10",
"2.0.11",
"2.1alpha1",
"2.1beta1",
"2.1beta2",
"2.1beta3",
"2.1",
"2.1.1",
"2.1.2",
"2.1.3",
"2.1.4",
"2.1.5",
"2.2alpha1",
"2.2beta1",
"2.2beta2",
"2.2beta3",
"2.2beta4",
"2.2",
"2.2.1",
"2.2.2",
"2.2.3",
"2.2.4",
"2.2.5",
"2.2.6",
"2.2.7",
"2.2.8",
"2.3alpha1",
"2.3alpha2",
"2.3beta1",
"2.3",
"2.3.1",
"2.3.2",
"2.3.3",
"2.3.4",
"2.3.5",
"2.3.6",
"3.0",
"3.0.1",
"3.0.2",
"3.1beta1",
"3.1.0",
"3.1.1",
"3.1.2",
"3.2.0",
"3.2.1",
"3.2.2",
"3.2.3",
"3.2.4",
"3.2.5",
"3.3.0beta1",
"3.3.0beta2",
"3.3.0beta3",
"3.3.0beta4",
"3.3.0beta5",
"3.3.0",
"3.3.1",
"3.3.2",
"3.3.3",
"3.3.4",
"3.3.5",
"3.3.6",
"3.4.0",
"3.4.1",
"3.4.2",
"3.4.3",
"3.4.4",
"3.5.0b1",
"3.5.0",
"3.6.0",
"3.6.1",
"3.6.2",
"3.6.3",
"3.6.4",
"3.7.0",
"3.7.1",
"3.7.2",
"3.7.3",
"3.8.0",
"4.0.0",
"4.1.0",
"4.1.1",
"4.2.0",
"4.2.1",
"4.2.2",
"4.2.3",
"4.2.4",
"4.2.5",
"4.2.6",
"4.3.0",
"4.3.1",
"4.3.2",
"4.3.3",
"4.3.4",
"4.3.5",
"4.4.0",
"4.4.1",
"4.4.2",
"4.4.3",
"4.5.0",
"4.5.1",
"4.5.2",
"4.6.0",
"4.6.1",
"4.6.2"
]
}
],
"aliases": [
"CVE-2021-28957",
"GHSA-jq4v-f5q6-mjqq"
],
"details": "An XSS vulnerability was discovered in python-lxml\u0027s clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.",
"id": "PYSEC-2021-19",
"modified": "2021-03-30T18:47:00Z",
"published": "2021-03-21T05:15:00Z",
"references": [
{
"type": "WEB",
"url": "https://bugs.launchpad.net/lxml/+bug/1888153"
},
{
"type": "WEB",
"url": "https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html"
},
{
"type": "FIX",
"url": "https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999"
},
{
"type": "ADVISORY",
"url": "https://www.debian.org/security/2021/dsa-4880"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-jq4v-f5q6-mjqq"
}
]
}
Loading...