PT-2020-6126 · Lxml+9 · Lxml+9

Published

2020-07-19

·

Updated

2025-01-14

·

CVE-2021-28957

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions lxml versions prior to 4.6.3
Description A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. The issue arises when the safe attrs only and forms arguments are disabled in the Cleaner class, allowing the formaction attribute to bypass the sanitizer.
Recommendations For versions prior to 4.6.3, update to version 4.6.3 to resolve the issue. As a temporary workaround, consider enabling the safe attrs only and forms arguments in the Cleaner class to prevent the formaction attribute from bypassing the sanitizer. Restrict access to the Cleaner class until the issue is resolved.

Exploit

Fix

XSS

Weakness Enumeration

CWE-79

Related Identifiers

ALSA-2021:4151
ALSA-2021:4158
ALSA-2021:4160
ALSA-2021:4162
ALT-PU-2021-1529
AZL-6808
BDU:2021-03119
CESA-2021_4151
CESA-2021_4158
CESA-2021_4160
CESA-2021_4162
CVE-2021-28957
DLA-2606-1
DSA-4880-1
GHSA-JQ4V-F5Q6-MJQQ
MGASA-2021-0246
OESA-2021-1178
OPENSUSE-SU-2022:0803-1
OPENSUSE-SU-2022_0803-1
OPENSUSE-SU-2022_3836-1
OPENSUSE-SU-2024:11236-1
OPENSUSE-SU-2024:11473-1
OPENSUSE-SU-2025:14647-1
PYSEC-2021-19
RHSA-2021:3254
RHSA-2021:4151
RHSA-2021:4158
RHSA-2021:4160
RHSA-2021:4162
RHSA-2021_4151
RHSA-2021_4158
RHSA-2021_4160
RHSA-2021_4162
RLSA-2021:4151
RLSA-2021:4158
RLSA-2021:4160
RLSA-2021:4162
SUSE-FU-2022:0444-1
SUSE-FU-2022:0445-1
SUSE-SU-2022:0803-1
SUSE-SU-2022:0895-1
SUSE-SU-2022:1536-1
SUSE-SU-2022:1729-1
SUSE-SU-2022:3836-1
SUSE-SU-2022:3934-1
SUSE-SU-2022:3937-1
SUSE-SU-2022_3934-1
SUSE-SU-2022_3937-1
USN-4896-1
USN-4896-2

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu
Lxml