CVE-2021-28957

CVE-2021-28957

Name

CVE-2021-28957

Description

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Exploit	https://bugs.launchpad.net/lxml/+bug/1888153
Patch	https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270
Mailing List	https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html
Patch	https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999
Third Party Advisory	https://www.debian.org/security/2021/dsa-4880
CONFIRM	https://security.netapp.com/advisory/ntap-20210521-0004/
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/
MISC	https://www.oracle.com/security-alerts/cpuoct2021.html
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/
Third Party Advisory	https://security.gentoo.org/glsa/202208-06

Type

URI

Exploit

https://bugs.launchpad.net/lxml/+bug/1888153

Patch

https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270

Mailing List

https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html

Patch

https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999

Third Party Advisory

https://www.debian.org/security/2021/dsa-4880

CONFIRM

https://security.netapp.com/advisory/ntap-20210521-0004/

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/

MISC

https://www.oracle.com/security-alerts/cpuoct2021.html

cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/

cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/

Third Party Advisory

https://security.gentoo.org/glsa/202208-06

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:lxml:lxml::::::::`	lxml	>= None	< 4.6.3

CPE URI

Source package

Min version

Max version

cpe:2.3:a:lxml:lxml:*:*:*:*:*:*:*:*

lxml

>= None

< 4.6.3

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
py3-lxml	edge-main	4.6.3-r0	None	fixed
py3-lxml	edge-community	4.6.3-r0	None	fixed
py3-lxml	3.22-main	4.6.3-r0	None	fixed
py3-lxml	3.21-main	4.6.3-r0	None	fixed
py3-lxml	3.20-main	4.6.3-r0	None	fixed
py3-lxml	3.19-main	4.6.3-r0	None	fixed
py3-lxml	3.18-main	4.6.3-r0	None	fixed
py3-lxml	3.17-main	4.6.3-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

py3-lxml

edge-main

4.6.3-r0

None

fixed

py3-lxml

edge-community