CVE-2021-43818

CVSS v2.0

8.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:C/A:N

Name of the Vulnerable Software and Affected Versions lxml versions prior to 4.6.5

Description The HTML Cleaner in lxml.html allows certain crafted script content to pass through, as well as script content in SVG files embedded using data URIs. This can be exploited by a remote attacker to perform cross-site scripting attacks using specially crafted SVG files. Users that employ the HTML cleaner in a security-relevant context are at risk.

Recommendations For versions prior to 4.6.5, upgrade to lxml 4.6.5 to receive a patch. As a temporary workaround, consider disabling the HTML Cleaner in lxml.html until a patch is available. Restrict the use of the HTML Cleaner in security-relevant contexts to minimize the risk of exploitation.

Fix

Command Injection

Special Elements Injection

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-74CWE-79

Related Identifiers

ALSA-2022:1763

ALSA-2022:1764

ALSA-2022:1821

ALSA-2022:1932

ALT-PU-2022-1214

ALT-PU-2023-5651

ALT-PU-2023-6474

AZL-7025

BDU:2022-00756

CESA-2022_1763

CESA-2022_1764

CESA-2022_1821

CESA-2022_1932

CVE-2021-43818

DLA-2871-1

DSA-5043-1

GHSA-55X5-FJ6C-H6M8

MGASA-2021-0595

OESA-2022-1482

OPENSUSE-SU-2022:0803-1

OPENSUSE-SU-2022_0803-1

OPENSUSE-SU-2024:11713-1

PYSEC-2021-852

RHSA-2022:1664

RHSA-2022:1763

RHSA-2022:1764

RHSA-2022:1821

RHSA-2022:1932

RHSA-2022:5498

RHSA-2022_1763

RHSA-2022_1764

RHSA-2022_1821

RHSA-2022_1932

RLSA-2022:1763

RLSA-2022:1764

RLSA-2022:1821

RLSA-2022:1932

RLSA-2022:5498

SUSE-SU-2022:0803-1

SUSE-SU-2022:0895-1

SUSE-SU-2022:1729-1

USN-5225-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

Lxml

CVE-2021-43818

Weakness Enumeration

Related Identifiers

Affected Products

References · 610