#VU59660 Cross-site scripting in Lxml


Published: 2022-01-17

Vulnerability identifier: #VU59660

Vulnerability risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43818

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Lxml
Client/Desktop applications / Multimedia software

Vendor: Lxml

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the HTML Cleaner in lxml.html. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Lxml: 4.0.0 - 4.6.4-5

External links
http://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
http://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776
http://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8
http://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/
http://lists.debian.org/debian-lts-announce/2021/12/msg00037.html
http://security.netapp.com/advisory/ntap-20220107-0005/
http://www.debian.org/security/2022/dsa-5043
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM QRadar SIEM
Amazon Linux AMI update for python-lxml
Cross-site scripting in IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data
Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)
Multiple vulnerabilities in OpenShift Container Platform 4.11
Gentoo update for lxml
Red Hat Enterprise Linux 8 update for python-lxml
Red Hat Enterprise Linux 8 update for the python27:2.7 module
Red Hat Enterprise Linux 8 update for the python38:3.8 and python38-devel:3.8 modules
Red Hat Enterprise Linux 8 update for the python39:3.9 and python39-devel:3.9 modules