ALT-PU-2021-5028-1 — python-module-lxml

BDU:2021-03119

MEDIUM6.1

Уязвимость класса Cleaner библиотеки для обработки разметки XML и HTML Lxml, позволяющая нарушителю выполнить произвольный Java Script-код

Published: 2021-06-18Modified: 2025-11-26

CVSS 3.xMEDIUM 6.1

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS 2.0MEDIUM 5.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N

References

CVE-2021-28957

BDU:2021-03620

MEDIUM6.1

Уязвимость модуля clean библиотеки для обработки разметки XML и HTML Lxml, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю оказать воздействие на целостность защищаемой информации

Published: 2021-07-15Modified: 2025-11-26

CVSS 3.xMEDIUM 6.1

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS 2.0MEDIUM 5.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N

References

CVE-2020-27783

CVE-2020-27783

MEDIUM6.1

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

Published: 2020-12-03Modified: 2025-12-17

CVSS 2.0MEDIUM 4.3

CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS 3.xMEDIUM 6.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

CVE-2021-28957

MEDIUM6.1

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

Published: 2021-03-21Modified: 2025-12-17

CVSS 2.0MEDIUM 4.3

CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS 3.xMEDIUM 6.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

GHSA-jq4v-f5q6-mjqq

MEDIUM5.3

lxml vulnerable to Cross-Site Scripting

Published: 2021-03-22Modified: 2024-09-30

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS 4.0MEDIUM 5.3

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

GHSA-pgww-xf46-h92r

MEDIUM5.3

lxml vulnerable to Cross-site Scripting

Published: 2021-01-08Modified: 2025-12-20

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS 4.0MEDIUM 5.3

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

Package update python-module-lxml in branch sisyphus

Closed issues (6)

Уязвимость класса Cleaner библиотеки для обработки разметки XML и HTML Lxml, позволяющая нарушителю выполнить произвольный Java Script-код

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

lxml vulnerable to Cross-Site Scripting

lxml vulnerable to Cross-site Scripting