Cross-site scripting in Lxml
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2021-43818 |
| CWE-ID | CWE-79 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Lxml Client/Desktop applications / Multimedia software |
| Vendor | Lxml |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Cross-site scripting
EUVDB-ID: #VU59660
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43818
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within the HTML Cleaner in lxml.html. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsLxml: 4.0.0 - 4.6.4-5
External linkshttp://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
http://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776
http://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8
http://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/
http://lists.debian.org/debian-lts-announce/2021/12/msg00037.html
http://security.netapp.com/advisory/ntap-20220107-0005/
http://www.debian.org/security/2022/dsa-5043
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
