PublicDateAtUSN: 2021-03-21 05:15:00 UTC
Candidate: CVE-2021-28957
PublicDate: 2021-03-21 05:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957
 https://bugs.launchpad.net/lxml/+bug/1888153
 https://github.com/lxml/lxml/pull/316
 https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270
 https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html
 https://ubuntu.com/security/notices/USN-4896-1
 https://ubuntu.com/security/notices/USN-4896-2
Description:
 An XSS vulnerability was discovered in python-lxml's clean module versions
 before 4.6.3. When disabling the safe_attrs_only and forms arguments, the
 Cleaner class does not remove the formaction attribute allowing for JS to
 bypass the sanitizer. A remote attacker could exploit this flaw to run
 arbitrary JS code on users who interact with incorrectly sanitized HTML.
 This issue is patched in lxml 4.6.3.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985643
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1 MEDIUM]


Patches_lxml:
 upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
upstream_lxml: released (4.6.3-1)
precise/esm_lxml: ignored
trusty_lxml: ignored (out of standard support)
trusty/esm_lxml: released (3.3.3-1ubuntu0.2+esm3)
xenial_lxml: released (3.5.0-1ubuntu0.4)
esm-infra/xenial_lxml: released (3.5.0-1ubuntu0.4)
bionic_lxml: released (4.2.1-1ubuntu0.4)
focal_lxml: released (4.5.0-1ubuntu0.3)
groovy_lxml: released (4.5.2-1ubuntu0.4)
devel_lxml: not-affected (4.6.3-1)