Important: python-lxml

Issue Overview:

A Cross-site Scripting (XSS) vulnerability was found in the python-lxml’s clean module. The module’s parser did not properly imitate browsers, causing different behaviors between the sanitizer and the user’s page. This flaw allows a remote attacker to run arbitrary HTML/JS code. The highest threat from this vulnerability is to confidentiality and integrity. (CVE-2020-27783)

There’s a flaw in python-lxml’s HTML Cleaner component, which is responsible for sanitizing HTML and Javascript. An attacker who is able to submit a crafted payload to a web service using python-lxml’s HTML Cleaner may be able to trigger script execution in clients such as web browsers. This can occur because the HTML Cleaner did not remove scripts within SVG images in data URLs such as <img src=>. XSS can result in impacts to the integrity and availability of the web page, as well as a potential impact to data confidentiality in some circumstances. (CVE-2021-43818)

Affected Packages:

python-lxml

Issue Correction:
Run yum update python-lxml to update your system.

New Packages:

i686:  
    python-lxml-debuginfo-3.2.1-4.10.amzn1.i686  
    python26-lxml-3.2.1-4.10.amzn1.i686  
    python27-lxml-3.2.1-4.10.amzn1.i686  
  
noarch:  
    python26-lxml-docs-3.2.1-4.10.amzn1.noarch  
    python27-lxml-docs-3.2.1-4.10.amzn1.noarch  
  
src:  
    python-lxml-3.2.1-4.10.amzn1.src  
  
x86_64:  
    python-lxml-debuginfo-3.2.1-4.10.amzn1.x86_64  
    python26-lxml-3.2.1-4.10.amzn1.x86_64  
    python27-lxml-3.2.1-4.10.amzn1.x86_64  

Additional References

Red Hat: CVE-2020-27783, CVE-2021-43818

Mitre: CVE-2020-27783, CVE-2021-43818