PYSEC-2021-19 — Vulnetix

PYSEC-2021-19 PUBLISHED CVSS 9.300000190734863 CRITICAL

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
PyPI	lxml	0, 0, 0.9.1

Timeline

Mar 21, 2021 CVE Published
Nov 8, 2023 CVE Updated
May 1, 2026 Distribution Patch
May 1, 2026 Security Advisory

References

https://bugs.launchpad.net/lxml/+bug/1888153 url
https://github.com/advisories/GHSA-jq4v-f5q6-mjqq advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html advisory
https://www.debian.org/security/2021/dsa-4880 advisory
https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270 fix
https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999 fix

Open in Interactive Console →