CVE-2020-27783

MEDIUM EPSS 89.1%
Published Dec 3, 20205y ago · Modified Jun 17, 20262w ago
6.1 CVSS 3.1
Medium
Find Similar
Published Dec 3, 2020 5y ago
Last Modified Jun 17, 2026 2w ago

Description

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

CVSS Details

Base Score
6.1
Exploitability
2.8
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
89.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 10

VendorProductVersionRange
lxmllxml*≥1.2  –  <4.6.2
redhatsoftware_collections*any
redhatenterprise_linux8.0any
debiandebian_linux9.0any
debiandebian_linux10.0any
fedoraprojectfedora32any
fedoraprojectfedora33any
netappsnapcenter*any
oraclecommunications_offline_mediation_controller12.0.0.3.0any
oraclezfs_storage_appliance_kit8.8any

References 8

  • advisory.checkmarx.net https://advisory.checkmarx.net/advisory/CX-2020-4286
    ExploitThird Party Advisory
  • bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=1901633
    ExploitIssue TrackingPatchThird Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2020/12/msg00028.html
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JKG67GPGTV23KADT4D4GK4RMHSO4CIQL/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMHVKRUT22LVWNL3TB7HPSDHJT74Q3JK/
  • security.netapp.com https://security.netapp.com/advisory/ntap-20210521-0003/
    Third Party Advisory
  • debian.org https://www.debian.org/security/2020/dsa-4810
    Third Party Advisory
  • oracle.com https://www.oracle.com//security-alerts/cpujul2021.html
    PatchThird Party Advisory

Remediation

  • bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=1901633
    ExploitIssue TrackingPatchThird Party Advisory
  • oracle.com https://www.oracle.com//security-alerts/cpujul2021.html
    PatchThird Party Advisory