CVE-2021-28957 (Medium) detected in lxml-4.2.5-cp37-cp37m-manylinux1_x86_64.whl #100
Labels
security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
security vulnerability
mend-bolt-for-github
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
CVE-2021-28957 - Medium Severity Vulnerability
Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.
Library home page: https://files.pythonhosted.org/packages/7a/6b/a3d2d3c3075617edcbfc272d79281e812b1a94dab37923b1d06fdfe2e906/lxml-4.2.5-cp37-cp37m-manylinux1_x86_64.whl
Path to dependency file: /scrapers/requirements.txt
Path to vulnerable library: /scrapers/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 51c25ecb67a2ad16fcee689d0e1dd491f1ccda8b
An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
Publish Date: 2021-03-21
URL: CVE-2021-28957
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-jq4v-f5q6-mjqq
Release Date: 2021-03-21
Fix Resolution: 4.6.3
Step up your Open Source Security Game with WhiteSource here
The text was updated successfully, but these errors were encountered: