Published: 03/12/2020 Updated: 07/11/2023

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

A XSS vulnerability exists in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

Vulnerable Product	Search on Vulmon	Subscribe to Product
lxml lxml
redhat enterprise linux 8.0
redhat software collections -
debian debian linux 9.0
debian debian linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
netapp snapcenter -
oracle communications offline mediation controller 12.0.0.3.0
oracle zfs storage appliance kit 8.8

Yaniv Nizry discovered that the clean module of lxml, Python bindings for libxml2 and libxslt could be bypassed For the stable distribution (buster), this problem has been fixed in version 432-1+deb10u1 We recommend that you upgrade your lxml packages For the detailed security status of lxml please refer to its security tracker page at: https: ...

A Cross-site Scripting (XSS) vulnerability was found in the python-lxml's clean module The module's parser did not properly imitate browsers, causing different behaviors between the sanitizer and the user's page This flaw allows a remote attacker to run arbitrary HTML/JS code The highest threat from this vulnerability is to confidentiality and i ...

A cross-site scripting vulnerability was discovered in python-lxml's clean module before version 462 The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page A remote attacker could exploit this flaw to run arbitrary HTML/JS code ...

Check your Python environments for vulnerable Open Source packages with OSS Index or Sonatype Nexus Lifecycle.

Jake jake is a tool to check for your Python environments and applications that can: produce CycloneDX software bill-of-materials report on known vulnerabilities jake is powered by Sonatype OSS Index and can also be used with Sonatype's Nexus IQ Server Installation Install from pypiorg as you would any other Python module: pip install jake

CWE-79 https://bugzilla.redhat.com/show_bug.cgi?id=1901633 https://www.debian.org/security/2020/dsa-4810 https://lists.debian.org/debian-lts-announce/2020/12/msg00028.html https://advisory.checkmarx.net/advisory/CX-2020-4286 https://security.netapp.com/advisory/ntap-20210521-0003/https://www.oracle.com//security-alerts/cpujul2021.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMHVKRUT22LVWNL3TB7HPSDHJT74Q3JK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JKG67GPGTV23KADT4D4GK4RMHSO4CIQL/https://nvd.nist.gov https://www.debian.org/security/2020/dsa-4810 https://github.com/sonatype-nexus-community/jake

CVE-2020-27783

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect