CVE-2020-27783
MEDIUM EPSS 89.1%
Published Dec 3, 20205y ago · Modified Jun 17, 20262w ago
6.1 CVSS 3.1
Published Dec 3, 2020 5y ago
Last Modified Jun 17, 2026 2w ago
Description
A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None
Threat Intelligence
EPSS Exploit Probability
89.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-79 Cross-site Scripting Injection
Affected Products 10
| Vendor | Product | Version | Range |
|---|---|---|---|
| lxml | lxml | * | ≥1.2 – <4.6.2 |
| redhat | software_collections | * | any |
| redhat | enterprise_linux | 8.0 | any |
| debian | debian_linux | 9.0 | any |
| debian | debian_linux | 10.0 | any |
| fedoraproject | fedora | 32 | any |
| fedoraproject | fedora | 33 | any |
| netapp | snapcenter | * | any |
| oracle | communications_offline_mediation_controller | 12.0.0.3.0 | any |
| oracle | zfs_storage_appliance_kit | 8.8 | any |
References 8
- advisory.checkmarx.net https://advisory.checkmarx.net/advisory/CX-2020-4286
- bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=1901633
- lists.debian.org https://lists.debian.org/debian-lts-announce/2020/12/msg00028.html
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JKG67GPGTV23KADT4D4GK4RMHSO4CIQL/
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMHVKRUT22LVWNL3TB7HPSDHJT74Q3JK/
- security.netapp.com https://security.netapp.com/advisory/ntap-20210521-0003/
- debian.org https://www.debian.org/security/2020/dsa-4810
- oracle.com https://www.oracle.com//security-alerts/cpujul2021.html
Remediation
- bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=1901633
- oracle.com https://www.oracle.com//security-alerts/cpujul2021.html