CVE-2021-28957

MEDIUM
Published Mar 21, 20215y ago · Modified Jun 17, 20262w ago
6.1 CVSS 3.1
Medium
Find Similar
Published Mar 21, 2021 5y ago
Last Modified Jun 17, 2026 2w ago

Description

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

CVSS Details

Base Score
6.1
Exploitability
2.8
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 7

VendorProductVersionRange
lxmllxml* <4.6.3
debiandebian_linux9.0any
debiandebian_linux10.0any
fedoraprojectfedora33any
fedoraprojectfedora34any
netappsnapcenter*any
oraclezfs_storage_appliance_kit8.8any

References 10

  • bugs.launchpad.net https://bugs.launchpad.net/lxml/+bug/1888153
    ExploitIssue TrackingThird Party Advisory
  • github.com https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999
    PatchThird Party Advisory
  • github.com https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270
    PatchThird Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/
  • security.gentoo.org https://security.gentoo.org/glsa/202208-06
    Third Party Advisory
  • security.netapp.com https://security.netapp.com/advisory/ntap-20210521-0004/
    Third Party Advisory
  • debian.org https://www.debian.org/security/2021/dsa-4880
    Third Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuoct2021.html
    PatchThird Party Advisory

Remediation

  • github.com https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999
    PatchThird Party Advisory
  • github.com https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuoct2021.html
    PatchThird Party Advisory