Lucene search

K
cvelistMitreCVELIST:CVE-2021-28957
HistoryMar 21, 2021 - 4:39 a.m.

CVE-2021-28957

2021-03-2104:39:35
mitre
www.cve.org

6.6 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.6%

An XSS vulnerability was discovered in python-lxml’s clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.