CVE-2021-28957
MEDIUM
Published Mar 21, 20215y ago · Modified Jun 17, 20262w ago
6.1 CVSS 3.1
Published Mar 21, 2021 5y ago
Last Modified Jun 17, 2026 2w ago
Description
An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None
Threat Intelligence
No active exploitation signals — not in CISA KEV and no EPSS score yet.
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-79 Cross-site Scripting Injection
Affected Products 7
| Vendor | Product | Version | Range |
|---|---|---|---|
| lxml | lxml | * | <4.6.3 |
| debian | debian_linux | 9.0 | any |
| debian | debian_linux | 10.0 | any |
| fedoraproject | fedora | 33 | any |
| fedoraproject | fedora | 34 | any |
| netapp | snapcenter | * | any |
| oracle | zfs_storage_appliance_kit | 8.8 | any |
References 10
- bugs.launchpad.net https://bugs.launchpad.net/lxml/+bug/1888153
- github.com https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999
- github.com https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270
- lists.debian.org https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/
- security.gentoo.org https://security.gentoo.org/glsa/202208-06
- security.netapp.com https://security.netapp.com/advisory/ntap-20210521-0004/
- debian.org https://www.debian.org/security/2021/dsa-4880
- oracle.com https://www.oracle.com/security-alerts/cpuoct2021.html
Remediation
- github.com https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999
- github.com https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270
- oracle.com https://www.oracle.com/security-alerts/cpuoct2021.html