An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-03-21T04:39:35

Updated: 2024-08-03T21:55:12.376Z

Reserved: 2021-03-21T00:00:00

Link: CVE-2021-28957

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-03-21T05:15:13.367

Modified: 2024-11-21T06:00:26.497

Link: CVE-2021-28957

cve-icon Redhat

Severity : Moderate

Publid Date: 2021-03-21T00:00:00Z

Links: CVE-2021-28957 - Bugzilla