An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2021-03-21T04:39:35
Updated: 2024-08-03T21:55:12.376Z
Reserved: 2021-03-21T00:00:00
Link: CVE-2021-28957
Vulnrichment
No data.
NVD
Status : Modified
Published: 2021-03-21T05:15:13.367
Modified: 2024-11-21T06:00:26.497
Link: CVE-2021-28957
Redhat