GitHub Advisory DatabaseGHSA-V9V9-XFFQ-RWR4Improper Neutralization of Input During Web Page Generation in html5lib
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.003 Low
EPSS
Percentile
70.9%
The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting (XSS) attacks by leveraging mishandling of the < (less than) character in attribute values.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| html5lib | lt | 0.999999999 |
References
www.openwall.com/lists/oss-security/2016/12/06/5
www.openwall.com/lists/oss-security/2016/12/08/8
github.com/advisories/GHSA-v9v9-xffq-rwr4
github.com/html5lib/html5lib-python/commit/9b8d8eb5afbc066b7fac9390f5ec75e5e8a7cab7
github.com/html5lib/html5lib-python/issues/11
github.com/html5lib/html5lib-python/issues/12
github.com/pypa/advisory-database/tree/main/vulns/html5lib/PYSEC-2017-14.yaml
html5lib.readthedocs.io/en/latest/changes.html#b9
nvd.nist.gov/vuln/detail/CVE-2016-9909
web.archive.org/web/20161229134056/www.securityfocus.com/bid/95132
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.003 Low
EPSS
Percentile
70.9%