Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.8
CVSSv2

CVE-2021-43818

Published: 13/12/2021 Updated: 07/11/2023
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.1 | Impact Score: 3.7 | Exploitability Score: 2.8
VMScore: 606
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Subscribe to Lxml

Vulnerability Summary

A Cross-site Scripting (XSS) vulnerability was found in the python-lxml's clean module. The module's parser did not properly imitate browsers, causing different behaviors between the sanitizer and the user's page. This flaw allows a remote malicious user to run arbitrary HTML/JS code. The highest threat from this vulnerability is to confidentiality and integrity. (CVE-2020-27783) There's a flaw in python-lxml's HTML Cleaner component, which is responsible for sanitizing HTML and Javascript. An attacker who is able to submit a crafted payload to a web service using python-lxml's HTML Cleaner may be able to trigger script execution in clients such as web browsers. This can occur because the HTML Cleaner did not remove scripts within SVG images in data URLs such as <img src=>. XSS can result in impacts to the integrity and availability of the web page, as well as a potential impact to data confidentiality in some circumstances. (CVE-2021-43818)

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

lxml lxml

fedoraproject fedora 34

fedoraproject fedora 35

debian debian linux 9.0

debian debian linux 10.0

debian debian linux 11.0

netapp solidfire -

netapp solidfire enterprise sds -

netapp hci_storage_node_firmware -

oracle http server 12.2.1.3.0

oracle http server 12.2.1.4.0

oracle zfs storage appliance kit 8.8

oracle communications cloud native core binding support function 22.1.3

oracle communications cloud native core policy 22.2.0

oracle communications cloud native core network exposure function 22.1.1

Vendor Advisories

Debian CVElist Bug Report Logs: lxml: CVE-2021-43818: HTML Cleaner allows crafted and SVG embedded scripts to pass through
Debian Bug report logs - #1001885 lxml: CVE-2021-43818: HTML Cleaner allows crafted and SVG embedded scripts to pass through Package: src:lxml; Maintainer for src:lxml is Matthias Klose <doko@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 18 Dec 2021 10:45:01 UTC Severity: important Ta ...
Debian Security Advisories: DSA-5043-1 lxml -- security update
It was discovered that lxml, a Python binding for the libxml2 and libxslt libraries, does not properly sanitize its input, which could lead to cross-site scripting For the oldstable distribution (buster), this problem has been fixed in version 432-1+deb10u4 For the stable distribution (bullseye), this problem has been fixed in version 463+dfs ...
Red Hat: Moderate: python39:3.9 and python39-devel:3.9 security update
Synopsis Moderate: python39:39 and python39-devel:39 security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the python39:39 and python39-devel:39 modules is now available for Red Hat Enterprise L ...
Red Hat: Moderate: python-lxml security update
Synopsis Moderate: python-lxml security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for python-lxml is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as hav ...
Red Hat: Moderate: python27:2.7 security update
Synopsis Moderate: python27:27 security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the python27:27 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this ...
Red Hat: Moderate: Red Hat Software Collections security update
Synopsis Moderate: Red Hat Software Collections security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for rh-python38-python, rh-python38-python-lxml, and rh-python38-python-pip is now available for Red ...
Red Hat: Moderate: Satellite 6.11 Release
Synopsis Moderate: Satellite 611 Release Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update is now available for Red Hat Satellite 611 Description Red Hat Satellite is a systems management tool for Linux-basedin ...
Red Hat: Important: OpenShift Container Platform 4.11.0 bug fix and security update
Synopsis Important: OpenShift Container Platform 4110 bug fix and security update Type/Severity Security Advisory: Important Topic Red Hat OpenShift Container Platform release 4110 is now available withupdates to packages and images that fix several bugs and add enhancementsThis release includes a security update for Red Hat OpenShift Co ...
Amazon Linux 2: ALAS2-2023-1956
There's a flaw in python-lxml's HTML Cleaner component, which is responsible for sanitizing HTML and Javascript An attacker who is able to submit a crafted payload to a web service using python-lxml's HTML Cleaner may be able to trigger script execution in clients such as web browsers This can occur because the HTML Cleaner did not remove scripts ...
Amazon Linux AMI: ALAS-2023-1709
A Cross-site Scripting (XSS) vulnerability was found in the python-lxml's clean module The module's parser did not properly imitate browsers, causing different behaviors between the sanitizer and the user's page This flaw allows a remote attacker to run arbitrary HTML/JS code The highest threat from this vulnerability is to confidentiality and i ...
Red Hat: CVE-2021-43818
lxml is a library for processing XML and HTML in the Python language Prior to version 465, the HTML Cleaner in lxmlhtml lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 465 to receive a pat ...
Arch Linux Issues:
Prior to python-lxml version 465, the HTML Cleaner in lxmlhtml lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 465 to receive a patch ...
Amazon Linux 2022: ALAS2022-2022-074
There's a flaw in python-lxml's HTML Cleaner component, which is responsible for sanitizing HTML and Javascript An attacker who is able to submit a crafted payload to a web service using python-lxml's HTML Cleaner may be able to trigger script execution in clients such as web browsers This can occur because the HTML Cleaner did not remove scripts ...
Amazon Linux 2022: ALAS2022-2022-178
There's a flaw in python-lxml's HTML Cleaner component, which is responsible for sanitizing HTML and Javascript An attacker who is able to submit a crafted payload to a web service using python-lxml's HTML Cleaner may be able to trigger script execution in clients such as web browsers This can occur because the HTML Cleaner did not remove scripts ...

References

CWE-79CWE-74https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664ahttps://lists.debian.org/debian-lts-announce/2021/12/msg00037.htmlhttps://security.netapp.com/advisory/ntap-20220107-0005/https://www.debian.org/security/2022/dsa-5043https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://security.gentoo.org/glsa/202208-06https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001885https://nvd.nist.govhttps://www.debian.org/security/2022/dsa-5043https://alas.aws.amazon.com/ALAS-2023-1709.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
race conditionCVE-2024-4249CVE-2024-4244CVE-2023-20198TCPCVE-2022-48648CVE-2022-48636CVE-2024-21345SQL
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook