csaf_opensuse - opensuse-su-2022:0803-1

opensuse-su-2022:0803-1

Vulnerability from csaf_opensuse

Published

2022-03-10 16:36

Modified

2022-03-10 16:36

Summary

Security update for python-lxml

Notes

Title of the patch

Security update for python-lxml

Description of the patch

This update for python-lxml fixes the following issues: - CVE-2018-19787: Fixed XSS vulnerability via unescaped URL (bsc#1118088). - CVE-2021-28957: Fixed XSS vulnerability ia HTML5 attributes unescaped (bsc#1184177). - CVE-2021-43818: Fixed XSS vulnerability via script content in SVG images using data URIs (bnc#1193752). - CVE-2020-27783: Fixed mutation XSS with improper parser use (bnc#1179534).

Patchnames

openSUSE-SLE-15.3-2022-803,openSUSE-SLE-15.4-2022-803

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for python-lxml",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for python-lxml fixes the following issues:\n\n- CVE-2018-19787: Fixed XSS vulnerability via unescaped URL (bsc#1118088).\n- CVE-2021-28957: Fixed XSS vulnerability ia HTML5 attributes unescaped (bsc#1184177).\n- CVE-2021-43818: Fixed XSS vulnerability via script content in SVG images using data URIs (bnc#1193752).\n- CVE-2020-27783: Fixed mutation XSS with improper parser use (bnc#1179534).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-SLE-15.3-2022-803,openSUSE-SLE-15.4-2022-803",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_0803-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2022:0803-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CXPBEANDVGCE6ASRYRQYWM4CLYAJ6TAE/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2022:0803-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CXPBEANDVGCE6ASRYRQYWM4CLYAJ6TAE/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1118088",
        "url": "https://bugzilla.suse.com/1118088"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1179534",
        "url": "https://bugzilla.suse.com/1179534"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1184177",
        "url": "https://bugzilla.suse.com/1184177"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1193752",
        "url": "https://bugzilla.suse.com/1193752"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-19787 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-19787/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-27783 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-27783/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-28957 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-28957/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-43818 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-43818/"
      }
    ],
    "title": "Security update for python-lxml",
    "tracking": {
      "current_release_date": "2022-03-10T16:36:12Z",
      "generator": {
        "date": "2022-03-10T16:36:12Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2022:0803-1",
      "initial_release_date": "2022-03-10T16:36:12Z",
      "revision_history": [
        {
          "date": "2022-03-10T16:36:12Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python2-lxml-4.7.1-3.7.1.aarch64",
                "product": {
                  "name": "python2-lxml-4.7.1-3.7.1.aarch64",
                  "product_id": "python2-lxml-4.7.1-3.7.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python2-lxml-devel-4.7.1-3.7.1.aarch64",
                "product": {
                  "name": "python2-lxml-devel-4.7.1-3.7.1.aarch64",
                  "product_id": "python2-lxml-devel-4.7.1-3.7.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python3-lxml-4.7.1-3.7.1.aarch64",
                "product": {
                  "name": "python3-lxml-4.7.1-3.7.1.aarch64",
                  "product_id": "python3-lxml-4.7.1-3.7.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python3-lxml-devel-4.7.1-3.7.1.aarch64",
                "product": {
                  "name": "python3-lxml-devel-4.7.1-3.7.1.aarch64",
                  "product_id": "python3-lxml-devel-4.7.1-3.7.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python2-lxml-4.7.1-3.7.1.ppc64le",
                "product": {
                  "name": "python2-lxml-4.7.1-3.7.1.ppc64le",
                  "product_id": "python2-lxml-4.7.1-3.7.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python2-lxml-devel-4.7.1-3.7.1.ppc64le",
                "product": {
                  "name": "python2-lxml-devel-4.7.1-3.7.1.ppc64le",
                  "product_id": "python2-lxml-devel-4.7.1-3.7.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python3-lxml-4.7.1-3.7.1.ppc64le",
                "product": {
                  "name": "python3-lxml-4.7.1-3.7.1.ppc64le",
                  "product_id": "python3-lxml-4.7.1-3.7.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python3-lxml-devel-4.7.1-3.7.1.ppc64le",
                "product": {
                  "name": "python3-lxml-devel-4.7.1-3.7.1.ppc64le",
                  "product_id": "python3-lxml-devel-4.7.1-3.7.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python2-lxml-4.7.1-3.7.1.s390x",
                "product": {
                  "name": "python2-lxml-4.7.1-3.7.1.s390x",
                  "product_id": "python2-lxml-4.7.1-3.7.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python2-lxml-devel-4.7.1-3.7.1.s390x",
                "product": {
                  "name": "python2-lxml-devel-4.7.1-3.7.1.s390x",
                  "product_id": "python2-lxml-devel-4.7.1-3.7.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python3-lxml-4.7.1-3.7.1.s390x",
                "product": {
                  "name": "python3-lxml-4.7.1-3.7.1.s390x",
                  "product_id": "python3-lxml-4.7.1-3.7.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python3-lxml-devel-4.7.1-3.7.1.s390x",
                "product": {
                  "name": "python3-lxml-devel-4.7.1-3.7.1.s390x",
                  "product_id": "python3-lxml-devel-4.7.1-3.7.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python2-lxml-4.7.1-3.7.1.x86_64",
                "product": {
                  "name": "python2-lxml-4.7.1-3.7.1.x86_64",
                  "product_id": "python2-lxml-4.7.1-3.7.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python2-lxml-devel-4.7.1-3.7.1.x86_64",
                "product": {
                  "name": "python2-lxml-devel-4.7.1-3.7.1.x86_64",
                  "product_id": "python2-lxml-devel-4.7.1-3.7.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python3-lxml-4.7.1-3.7.1.x86_64",
                "product": {
                  "name": "python3-lxml-4.7.1-3.7.1.x86_64",
                  "product_id": "python3-lxml-4.7.1-3.7.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python3-lxml-devel-4.7.1-3.7.1.x86_64",
                "product": {
                  "name": "python3-lxml-devel-4.7.1-3.7.1.x86_64",
                  "product_id": "python3-lxml-devel-4.7.1-3.7.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.3",
                "product": {
                  "name": "openSUSE Leap 15.3",
                  "product_id": "openSUSE Leap 15.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python2-lxml-4.7.1-3.7.1.aarch64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.aarch64"
        },
        "product_reference": "python2-lxml-4.7.1-3.7.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python2-lxml-4.7.1-3.7.1.ppc64le as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.ppc64le"
        },
        "product_reference": "python2-lxml-4.7.1-3.7.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python2-lxml-4.7.1-3.7.1.s390x as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.s390x"
        },
        "product_reference": "python2-lxml-4.7.1-3.7.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python2-lxml-4.7.1-3.7.1.x86_64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.x86_64"
        },
        "product_reference": "python2-lxml-4.7.1-3.7.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python2-lxml-devel-4.7.1-3.7.1.aarch64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.aarch64"
        },
        "product_reference": "python2-lxml-devel-4.7.1-3.7.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python2-lxml-devel-4.7.1-3.7.1.ppc64le as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.ppc64le"
        },
        "product_reference": "python2-lxml-devel-4.7.1-3.7.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python2-lxml-devel-4.7.1-3.7.1.s390x as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.s390x"
        },
        "product_reference": "python2-lxml-devel-4.7.1-3.7.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python2-lxml-devel-4.7.1-3.7.1.x86_64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.x86_64"
        },
        "product_reference": "python2-lxml-devel-4.7.1-3.7.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-lxml-4.7.1-3.7.1.aarch64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.aarch64"
        },
        "product_reference": "python3-lxml-4.7.1-3.7.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-lxml-4.7.1-3.7.1.ppc64le as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.ppc64le"
        },
        "product_reference": "python3-lxml-4.7.1-3.7.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-lxml-4.7.1-3.7.1.s390x as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.s390x"
        },
        "product_reference": "python3-lxml-4.7.1-3.7.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-lxml-4.7.1-3.7.1.x86_64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.x86_64"
        },
        "product_reference": "python3-lxml-4.7.1-3.7.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-lxml-devel-4.7.1-3.7.1.aarch64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.aarch64"
        },
        "product_reference": "python3-lxml-devel-4.7.1-3.7.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-lxml-devel-4.7.1-3.7.1.ppc64le as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.ppc64le"
        },
        "product_reference": "python3-lxml-devel-4.7.1-3.7.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-lxml-devel-4.7.1-3.7.1.s390x as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.s390x"
        },
        "product_reference": "python3-lxml-devel-4.7.1-3.7.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-lxml-devel-4.7.1-3.7.1.x86_64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.x86_64"
        },
        "product_reference": "python3-lxml-devel-4.7.1-3.7.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-19787",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-19787"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by \"j a v a s c r i p t:\" in Internet Explorer. This is a similar issue to CVE-2014-3146.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.aarch64",
          "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.ppc64le",
          "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.s390x",
          "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.x86_64",
          "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.aarch64",
          "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.ppc64le",
          "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.s390x",
          "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.x86_64",
          "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.aarch64",
          "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.ppc64le",
          "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.s390x",
          "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.x86_64",
          "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.aarch64",
          "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.ppc64le",
          "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.s390x",
          "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-19787",
          "url": "https://www.suse.com/security/cve/CVE-2018-19787"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1118088 for CVE-2018-19787",
          "url": "https://bugzilla.suse.com/1118088"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-03-10T16:36:12Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2018-19787"
    },
    {
      "cve": "CVE-2020-27783",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-27783"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A XSS vulnerability was discovered in python-lxml\u0027s clean module. The module\u0027s parser didn\u0027t properly imitate browsers, which caused different behaviors between the sanitizer and the user\u0027s page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.aarch64",
          "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.ppc64le",
          "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.s390x",
          "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.x86_64",
          "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.aarch64",
          "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.ppc64le",
          "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.s390x",
          "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.x86_64",
          "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.aarch64",
          "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.ppc64le",
          "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.s390x",
          "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.x86_64",
          "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.aarch64",
          "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.ppc64le",
          "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.s390x",
          "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-27783",
          "url": "https://www.suse.com/security/cve/CVE-2020-27783"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1179534 for CVE-2020-27783",
          "url": "https://bugzilla.suse.com/1179534"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-03-10T16:36:12Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-27783"
    },
    {
      "cve": "CVE-2021-28957",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-28957"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An XSS vulnerability was discovered in python-lxml\u0027s clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.aarch64",
          "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.ppc64le",
          "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.s390x",
          "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.x86_64",
          "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.aarch64",
          "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.ppc64le",
          "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.s390x",
          "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.x86_64",
          "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.aarch64",
          "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.ppc64le",
          "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.s390x",
          "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.x86_64",
          "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.aarch64",
          "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.ppc64le",
          "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.s390x",
          "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-28957",
          "url": "https://www.suse.com/security/cve/CVE-2021-28957"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1184177 for CVE-2021-28957",
          "url": "https://bugzilla.suse.com/1184177"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-03-10T16:36:12Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2021-28957"
    },
    {
      "cve": "CVE-2021-43818",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-43818"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.aarch64",
          "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.ppc64le",
          "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.s390x",
          "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.x86_64",
          "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.aarch64",
          "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.ppc64le",
          "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.s390x",
          "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.x86_64",
          "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.aarch64",
          "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.ppc64le",
          "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.s390x",
          "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.x86_64",
          "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.aarch64",
          "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.ppc64le",
          "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.s390x",
          "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-43818",
          "url": "https://www.suse.com/security/cve/CVE-2021-43818"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1193752 for CVE-2021-43818",
          "url": "https://bugzilla.suse.com/1193752"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python2-lxml-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python2-lxml-devel-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python3-lxml-4.7.1-3.7.1.x86_64",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.aarch64",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.ppc64le",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.s390x",
            "openSUSE Leap 15.3:python3-lxml-devel-4.7.1-3.7.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-03-10T16:36:12Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2021-43818"
    }
  ]
}

CVE-2018-19787 (GCVE-0-2018-19787)

Vulnerability from cvelistv5

Published

2018-12-02 10:00

Modified

2024-08-05 11:44

Severity ?

CWE

Summary

An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.

References

►

URL

Tags

	https://usn.ubuntu.com/3841-1/	vendor-advisory, x_refsource_UBUNTU
	https://lists.debian.org/debian-lts-announce/2018/12/msg00001.html	mailing-list, x_refsource_MLIST
	https://usn.ubuntu.com/3841-2/	vendor-advisory, x_refsource_UBUNTU
	https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109	x_refsource_MISC
	https://lists.debian.org/debian-lts-announce/2020/11/msg00044.html	mailing-list, x_refsource_MLIST

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T11:44:20.323Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "USN-3841-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3841-1/"
          },
          {
            "name": "[debian-lts-announce] 20181210 [SECURITY] [DLA 1604-1] lxml security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00001.html"
          },
          {
            "name": "USN-3841-2",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3841-2/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109"
          },
          {
            "name": "[debian-lts-announce] 20201126 [SECURITY] [DLA 2467-1] lxml security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00044.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-12-02T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by \"j a v a s c r i p t:\" in Internet Explorer. This is a similar issue to CVE-2014-3146."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-11-26T20:06:05",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "USN-3841-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3841-1/"
        },
        {
          "name": "[debian-lts-announce] 20181210 [SECURITY] [DLA 1604-1] lxml security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00001.html"
        },
        {
          "name": "USN-3841-2",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3841-2/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109"
        },
        {
          "name": "[debian-lts-announce] 20201126 [SECURITY] [DLA 2467-1] lxml security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00044.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-19787",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by \"j a v a s c r i p t:\" in Internet Explorer. This is a similar issue to CVE-2014-3146."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "USN-3841-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3841-1/"
            },
            {
              "name": "[debian-lts-announce] 20181210 [SECURITY] [DLA 1604-1] lxml security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00001.html"
            },
            {
              "name": "USN-3841-2",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3841-2/"
            },
            {
              "name": "https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109",
              "refsource": "MISC",
              "url": "https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109"
            },
            {
              "name": "[debian-lts-announce] 20201126 [SECURITY] [DLA 2467-1] lxml security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00044.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-19787",
    "datePublished": "2018-12-02T10:00:00",
    "dateReserved": "2018-12-02T00:00:00",
    "dateUpdated": "2024-08-05T11:44:20.323Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-28957 (GCVE-0-2021-28957)

Vulnerability from cvelistv5

Published

2021-03-21 04:39

Modified

2024-08-03 21:55

Severity ?

CWE

Summary

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

References

►

URL

Tags

	https://bugs.launchpad.net/lxml/+bug/1888153	x_refsource_MISC
	https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270	x_refsource_MISC
	https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html	mailing-list, x_refsource_MLIST
	https://www.debian.org/security/2021/dsa-4880	vendor-advisory, x_refsource_DEBIAN
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/	vendor-advisory, x_refsource_FEDORA
	https://www.oracle.com/security-alerts/cpuoct2021.html	x_refsource_MISC
	https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-20210521-0004/	x_refsource_CONFIRM
	https://security.gentoo.org/glsa/202208-06	vendor-advisory, x_refsource_GENTOO

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T21:55:12.376Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugs.launchpad.net/lxml/+bug/1888153"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270"
          },
          {
            "name": "[debian-lts-announce] 20210324 [SECURITY] [DLA 2606-1] lxml security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html"
          },
          {
            "name": "DSA-4880",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4880"
          },
          {
            "name": "FEDORA-2021-28723f9670",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/"
          },
          {
            "name": "FEDORA-2021-4cdb0f68c7",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210521-0004/"
          },
          {
            "name": "GLSA-202208-06",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202208-06"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An XSS vulnerability was discovered in python-lxml\u0027s clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-10T05:06:44",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugs.launchpad.net/lxml/+bug/1888153"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270"
        },
        {
          "name": "[debian-lts-announce] 20210324 [SECURITY] [DLA 2606-1] lxml security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html"
        },
        {
          "name": "DSA-4880",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4880"
        },
        {
          "name": "FEDORA-2021-28723f9670",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/"
        },
        {
          "name": "FEDORA-2021-4cdb0f68c7",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210521-0004/"
        },
        {
          "name": "GLSA-202208-06",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202208-06"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-28957",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An XSS vulnerability was discovered in python-lxml\u0027s clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugs.launchpad.net/lxml/+bug/1888153",
              "refsource": "MISC",
              "url": "https://bugs.launchpad.net/lxml/+bug/1888153"
            },
            {
              "name": "https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270",
              "refsource": "MISC",
              "url": "https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270"
            },
            {
              "name": "[debian-lts-announce] 20210324 [SECURITY] [DLA 2606-1] lxml security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html"
            },
            {
              "name": "DSA-4880",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2021/dsa-4880"
            },
            {
              "name": "FEDORA-2021-28723f9670",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/"
            },
            {
              "name": "FEDORA-2021-4cdb0f68c7",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "name": "https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999",
              "refsource": "MISC",
              "url": "https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210521-0004/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210521-0004/"
            },
            {
              "name": "GLSA-202208-06",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202208-06"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-28957",
    "datePublished": "2021-03-21T04:39:35",
    "dateReserved": "2021-03-21T00:00:00",
    "dateUpdated": "2024-08-03T21:55:12.376Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-43818 (GCVE-0-2021-43818)

Vulnerability from cvelistv5

Published

2021-12-13 18:05

Modified

2024-08-04 04:03

Severity ?

8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

CWE

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.

References

►

URL

Tags

	https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8	x_refsource_CONFIRM
	https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a	x_refsource_MISC
	https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776	x_refsource_MISC
	https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/	vendor-advisory, x_refsource_FEDORA
	https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html	mailing-list, x_refsource_MLIST
	https://www.debian.org/security/2022/dsa-5043	vendor-advisory, x_refsource_DEBIAN
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/	vendor-advisory, x_refsource_FEDORA
	https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-20220107-0005/	x_refsource_CONFIRM
	https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC
	https://security.gentoo.org/glsa/202208-06	vendor-advisory, x_refsource_GENTOO

Impacted products

	Vendor	Product	Version
	lxml	lxml	Version: < 4.6.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:03:08.992Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0"
          },
          {
            "name": "FEDORA-2021-6e8fb79f90",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/"
          },
          {
            "name": "FEDORA-2021-9f9e7c5c4f",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/"
          },
          {
            "name": "[debian-lts-announce] 20211230 [SECURITY] [DLA 2871-1] lxml security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html"
          },
          {
            "name": "DSA-5043",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5043"
          },
          {
            "name": "FEDORA-2022-96c79bf003",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/"
          },
          {
            "name": "FEDORA-2022-7129fbaeed",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220107-0005/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "name": "GLSA-202208-06",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202208-06"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "lxml",
          "vendor": "lxml",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.6.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-10T05:06:57",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0"
        },
        {
          "name": "FEDORA-2021-6e8fb79f90",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/"
        },
        {
          "name": "FEDORA-2021-9f9e7c5c4f",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/"
        },
        {
          "name": "[debian-lts-announce] 20211230 [SECURITY] [DLA 2871-1] lxml security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html"
        },
        {
          "name": "DSA-5043",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5043"
        },
        {
          "name": "FEDORA-2022-96c79bf003",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/"
        },
        {
          "name": "FEDORA-2022-7129fbaeed",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220107-0005/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        },
        {
          "name": "GLSA-202208-06",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202208-06"
        }
      ],
      "source": {
        "advisory": "GHSA-55x5-fj6c-h6m8",
        "discovery": "UNKNOWN"
      },
      "title": "HTML Cleaner allows crafted and SVG embedded scripts to pass through",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-43818",
          "STATE": "PUBLIC",
          "TITLE": "HTML Cleaner allows crafted and SVG embedded scripts to pass through"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "lxml",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 4.6.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "lxml"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8",
              "refsource": "CONFIRM",
              "url": "https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8"
            },
            {
              "name": "https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a",
              "refsource": "MISC",
              "url": "https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a"
            },
            {
              "name": "https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776",
              "refsource": "MISC",
              "url": "https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776"
            },
            {
              "name": "https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0",
              "refsource": "MISC",
              "url": "https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0"
            },
            {
              "name": "FEDORA-2021-6e8fb79f90",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/"
            },
            {
              "name": "FEDORA-2021-9f9e7c5c4f",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/"
            },
            {
              "name": "[debian-lts-announce] 20211230 [SECURITY] [DLA 2871-1] lxml security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html"
            },
            {
              "name": "DSA-5043",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2022/dsa-5043"
            },
            {
              "name": "FEDORA-2022-96c79bf003",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/"
            },
            {
              "name": "FEDORA-2022-7129fbaeed",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220107-0005/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220107-0005/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            },
            {
              "name": "GLSA-202208-06",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202208-06"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-55x5-fj6c-h6m8",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-43818",
    "datePublished": "2021-12-13T18:05:12",
    "dateReserved": "2021-11-16T00:00:00",
    "dateUpdated": "2024-08-04T04:03:08.992Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-27783 (GCVE-0-2020-27783)

Vulnerability from cvelistv5

Published

2020-12-03 16:39

Modified

2024-08-04 16:25

Severity ?

CWE

CWE-79

Summary

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

References

►

URL

Tags

	https://bugzilla.redhat.com/show_bug.cgi?id=1901633	x_refsource_MISC
	https://www.debian.org/security/2020/dsa-4810	vendor-advisory, x_refsource_DEBIAN
	https://lists.debian.org/debian-lts-announce/2020/12/msg00028.html	mailing-list, x_refsource_MLIST
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMHVKRUT22LVWNL3TB7HPSDHJT74Q3JK/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JKG67GPGTV23KADT4D4GK4RMHSO4CIQL/	vendor-advisory, x_refsource_FEDORA
	https://www.oracle.com//security-alerts/cpujul2021.html	x_refsource_MISC
	https://advisory.checkmarx.net/advisory/CX-2020-4286	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-20210521-0003/	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	python-lxml	Version: lxml-4.6.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T16:25:42.427Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901633"
          },
          {
            "name": "DSA-4810",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4810"
          },
          {
            "name": "[debian-lts-announce] 20201218 [SECURITY] [DLA 2467-2] lxml regression update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00028.html"
          },
          {
            "name": "FEDORA-2020-0e055ea503",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMHVKRUT22LVWNL3TB7HPSDHJT74Q3JK/"
          },
          {
            "name": "FEDORA-2020-307946cfb6",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JKG67GPGTV23KADT4D4GK4RMHSO4CIQL/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://advisory.checkmarx.net/advisory/CX-2020-4286"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210521-0003/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "python-lxml",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "lxml-4.6.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A XSS vulnerability was discovered in python-lxml\u0027s clean module. The module\u0027s parser didn\u0027t properly imitate browsers, which caused different behaviors between the sanitizer and the user\u0027s page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-20T22:54:48",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901633"
        },
        {
          "name": "DSA-4810",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4810"
        },
        {
          "name": "[debian-lts-announce] 20201218 [SECURITY] [DLA 2467-2] lxml regression update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00028.html"
        },
        {
          "name": "FEDORA-2020-0e055ea503",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMHVKRUT22LVWNL3TB7HPSDHJT74Q3JK/"
        },
        {
          "name": "FEDORA-2020-307946cfb6",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JKG67GPGTV23KADT4D4GK4RMHSO4CIQL/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://advisory.checkmarx.net/advisory/CX-2020-4286"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210521-0003/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-27783",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "python-lxml",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "lxml-4.6.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A XSS vulnerability was discovered in python-lxml\u0027s clean module. The module\u0027s parser didn\u0027t properly imitate browsers, which caused different behaviors between the sanitizer and the user\u0027s page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1901633",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901633"
            },
            {
              "name": "DSA-4810",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4810"
            },
            {
              "name": "[debian-lts-announce] 20201218 [SECURITY] [DLA 2467-2] lxml regression update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00028.html"
            },
            {
              "name": "FEDORA-2020-0e055ea503",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TMHVKRUT22LVWNL3TB7HPSDHJT74Q3JK/"
            },
            {
              "name": "FEDORA-2020-307946cfb6",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JKG67GPGTV23KADT4D4GK4RMHSO4CIQL/"
            },
            {
              "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "name": "https://advisory.checkmarx.net/advisory/CX-2020-4286",
              "refsource": "MISC",
              "url": "https://advisory.checkmarx.net/advisory/CX-2020-4286"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210521-0003/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210521-0003/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-27783",
    "datePublished": "2020-12-03T16:39:41",
    "dateReserved": "2020-10-27T00:00:00",
    "dateUpdated": "2024-08-04T16:25:42.427Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

opensuse-su-2022:0803-1

Vulnerability from csaf_opensuse

CVE-2018-19787 (GCVE-0-2018-19787)

Vulnerability from cvelistv5

CVE-2021-28957 (GCVE-0-2021-28957)

Vulnerability from cvelistv5

CVE-2021-43818 (GCVE-0-2021-43818)

Vulnerability from cvelistv5

CVE-2020-27783 (GCVE-0-2020-27783)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature