CVE-2021-28957

Summary

CVE	CVE-2021-28957
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-03-21 05:15:00 UTC
Updated	2023-11-07 03:32:00 UTC
Description	An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

Risk And Classification

Problem Types: CWE-79

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Fedoraproject	Fedora	33	All	All	All
Operating System	Fedoraproject	Fedora	34	All	All	All
Application	Lxml	Lxml	All	All	All	All
Application	Lxml	Lxml	4.6.2	All	All	All
Application	Netapp	Snapcenter	-	All	All	All
Application	Oracle	Zfs Storage Appliance Kit	8.8	All	All	All

References

Reference	Source	Link	Tags
[SECURITY] Fedora 33 Update: python-lxml-4.5.1-4.fc33 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Bug #1888153 “formaction attr allowing javascript in Cleaner() i...” : Bugs : lxml	MISC	bugs.launchpad.net
[SECURITY] Fedora 33 Update: python-lxml-4.5.1-4.fc33 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
lxml: Multiple Vulnerabilities (GLSA 202208-06) — Gentoo security	GENTOO	security.gentoo.org
[SECURITY] Fedora 34 Update: python-lxml-4.6.3-1.fc34 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Oracle Critical Patch Update Advisory - October 2021	MISC	www.oracle.com
[SECURITY] [DLA 2606-1] lxml security update	MLIST	lists.debian.org
CVE-2021-28957 lxml Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Debian -- Security Information -- DSA-4880-1 lxml	DEBIAN	www.debian.org
[SECURITY] Fedora 34 Update: python-lxml-4.6.3-1.fc34 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Prepare release of lxml 4.6.3. · lxml/lxml@a5f9cb5 · GitHub	MISC	github.com
Add formaction attribute to defs.link_attrs by ColdHeat · Pull Request #316 · lxml/lxml · GitHub	MISC	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

159463 Oracle Enterprise Linux Security Update for python27:2.7 (ELSA-2021-4151)
159466 Oracle Enterprise Linux Security Update for python39:3.9 and python39-devel:3.9 (ELSA-2021-4160)
159467 Oracle Enterprise Linux Security Update for python38:3.8 and python38-devel:3.8 (ELSA-2021-4162)
159768 Oracle Enterprise Linux Security Update for ol-automation-manager (ELSA-2022-9341)
178503 Debian Security Update for lxml (DLA 2606-1)
178517 Debian Security Update for lxml (DSA 4880-1)
179793 Debian Security Update for lxml (CVE-2021-28957)
198314 Ubuntu Security Notification for Lxml Vulnerability (USN-4896-1)
239580 Red Hat Update for rh-python38 (RHSA-2021:3254)
239826 Red Hat Update for python27:2.7 (RHSA-2021:4151)
239836 Red Hat Update for python-lxml (RHSA-2021:4158)
239841 Red Hat Update for python39:3.9 and python39-devel:3.9 (RHSA-2021:4160)
239845 Red Hat Update for python38:3.8 and python38-devel:3.8 (RHSA-2021:4162)
281102 Fedora Security Update for python (FEDORA-2021-28723f9670)
281501 Fedora Security Update for python (FEDORA-2021-4cdb0f68c7)
296059 Oracle Solaris 11.4 Support Repository Update (SRU) 36.0.1.101.2 Missing (CPUJUL2021)
378004 Splunk Enterprise Multiple Vulnerabilities (SVD-2023-0215,SVD-2023-0211,SVD-2023-0208)
501680 Alpine Linux Security Update for py3-lxml
504330 Alpine Linux Security Update for py3-lxml
670725 EulerOS Security Update for python-lxml (EulerOS-SA-2021-2483)
670759 EulerOS Security Update for python-lxml (EulerOS-SA-2021-2517)
670781 EulerOS Security Update for python-lxml (EulerOS-SA-2021-2539)
670805 EulerOS Security Update for python-lxml (EulerOS-SA-2021-2563)
671141 EulerOS Security Update for python-lxml (EulerOS-SA-2021-2610)
710581 Gentoo Linux lxml Multiple Vulnerabilities (GLSA 202208-06)
751854 SUSE Enterprise Linux Security Update for python-lxml (SUSE-SU-2022:0803-1)
751858 OpenSUSE Security Update for python-lxml (openSUSE-SU-2022:0803-1)
751901 SUSE Enterprise Linux Security Update for python-lxml (SUSE-SU-2022:0895-1)
752787 SUSE Enterprise Linux Security Update for python3-lxml (SUSE-SU-2022:3937-1)
900214 CBL-Mariner Linux Security Update for python-lxml 4.2.4
901258 Common Base Linux Mariner (CBL-Mariner) Security Update for python-lxml (6808-1)
903571 Common Base Linux Mariner (CBL-Mariner) Security Update for python-lxml (4682)
940292 AlmaLinux Security Update for python-lxml (ALSA-2021:4158)
940522 AlmaLinux Security Update for python27:2.7 (ALSA-2021:4151)
940526 AlmaLinux Security Update for python38:3.8 and python38-devel:3.8 (ALSA-2021:4162)
940559 AlmaLinux Security Update for python39:3.9 and python39-devel:3.9 (ALSA-2021:4160)
960239 Rocky Linux Security Update for python39:3.9 and python39-devel:3.9 (RLSA-2021:4160)
960320 Rocky Linux Security Update for python27:2.7 (RLSA-2021:4151)
960342 Rocky Linux Security Update for python38:3.8 and python38-devel:3.8 (RLSA-2021:4162)
960712 Rocky Linux Security Update for python-lxml (RLSA-2021:4158)
980346 Python (pip) Security Update for lxml (GHSA-jq4v-f5q6-mjqq)