logo
DATABASE RESOURCES PRICING ABOUT US

EulerOS Virtualization 3.0.2.0 : python-lxml (EulerOS-SA-2021-2830)

Description

According to the versions of the python-lxml package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3. (CVE-2021-28957) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.


Related