CVE-2021-28957

MEDIUM

Lxml < 4.6.3 - XSS

Title source: rule
STIX 2.1

Description

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

References (10)

Core 10
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://bugs.launchpad.net/lxml/+bug/1888153
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2021/dsa-4880
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210521-0004/
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202208-06

Scores

CVSS v3 6.1
EPSS 0.0052
EPSS Percentile 66.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (8)
debian/debian_linux 9.0
debian/debian_linux 10.0
fedoraproject/fedora 33
fedoraproject/fedora 34
lxml/lxml < 4.6.3
netapp/snapcenter
oracle/zfs_storage_appliance_kit 8.8
pypi/lxml 0 - 4.6.3PyPI
Published Mar 21, 2021
Tracked Since Feb 18, 2026