Lucene search

[email protected]CVE-2021-28957

HistoryMar 21, 2021 - 5:15 a.m.

CVE-2021-28957

2021-03-2105:15:00

CWE-79

[email protected]

web.nvd.nist.gov

347

cve-2021-28957

python-lxml

xss vulnerability

remote code execution

security patch

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.3 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

61.0%

JSON

An XSS vulnerability was discovered in python-lxml’s clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

CPENameOperatorVersion
lxml:lxmllxmllt4.6.3
debian:debian_linuxdebian debian linuxeq9.0
debian:debian_linuxdebian debian linuxeq10.0
fedoraproject:fedorafedoraproject fedoraeq33
fedoraproject:fedorafedoraproject fedoraeq34
netapp:snapcenternetapp snapcentereq-
oracle:zfs_storage_appliance_kitoracle zfs storage appliance kiteq8.8

CPE	Name	Operator	Version
lxml:lxml	lxml	lt	4.6.3
debian:debian_linux	debian debian linux	eq	9.0
debian:debian_linux	debian debian linux	eq	10.0
fedoraproject:fedora	fedoraproject fedora	eq	33
fedoraproject:fedora	fedoraproject fedora	eq	34
netapp:snapcenter	netapp snapcenter	eq	-
oracle:zfs_storage_appliance_kit	oracle zfs storage appliance kit	eq	8.8