XSS in Lxml
CVE-2021-43818
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs…
EPSS: 0.054 (90.3th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N.
Affected products
- Lxml — versions < 4.6.5
Weakness classification (CWE)
Public proof-of-concept exploits
References
- github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8 (x_refsource_CONFIRM)
- github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a (x_refsource_MISC)
- github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c (x_refsource_MISC)
- github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0 (x_refsource_MISC)
- FEDORA-2021-6e8fb79f90 (vendor-advisory, x_refsource_FEDORA)
- FEDORA-2021-9f9e7c5c4f (vendor-advisory, x_refsource_FEDORA)
- [debian-lts-announce] 20211230 [SECURITY] [DLA 2871-1] lxml security update (mailing-list, x_refsource_MLIST)
- DSA-5043 (vendor-advisory, x_refsource_DEBIAN)
- FEDORA-2022-96c79bf003 (vendor-advisory, x_refsource_FEDORA)
- FEDORA-2022-7129fbaeed (vendor-advisory, x_refsource_FEDORA)
Frequently asked questions
- What is CVE-2021-43818?
- CVE-2021-43818 is a high-severity vulnerability in Lxml, classified under Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection). CVSS score: 8.2/10. Published 2021-12-13.
- How severe is CVE-2021-43818?
- High severity. CVSS v3 base score is 8.2 out of 10.
- Is CVE-2021-43818 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.