ALT Linux Team

Package python3-module-lxml update in sisyphus on 2021-03-22

ALT-PU-2021-1529-1

Package python3-module-lxml updated to version 4.6.3-alt1 for branch sisyphus in task 268152.

Closed vulnerabilities

Published: 2021-06-18
Modified: 2023-11-21

BDU:2021-03119

Уязвимость класса Cleaner библиотеки для обработки разметки XML и HTML Lxml, позволяющая нарушителю выполнить произвольный Java Script-код

Severity: MEDIUM (6.1) Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM (5.8) Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N
References:
Published: 2021-03-21
Modified: 2024-11-21

CVE-2021-28957

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

Severity: MEDIUM (4.3) Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Severity: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.2
Back to top