Описание
An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
A flaw was found in python-lxml. The HTML5 formaction attribute is not input sanitized like the HTML action attribute is which can lead to a Cross-Site Scripting attack (XSS) when an application uses python-lxml to sanitize user inputs. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Отчет
Web applications vulnerable to this flaw, where a XSS attack can be accomplished, are only those that use python-lxml to sanitize HTML input and that allow user data to be placed in the "formaction" attribute of a form button. In Red Hat OpenStack Platform, because the flaw has a lower impact and the package is unlikely to be exploited in the RHOSP environment, no update will be provided at this time for the RHOSP python-lxml package. For Ansible Tower and Ansible Automation Platform, Lowering the impact from Moderate to Low as the vulnerable function i.e. lxml HTML Cleaner and the vulnerable attribute i.e. HTML FormAction are not being used.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 1.2 | lxml | Affected | ||
| Red Hat Ansible Tower 3 | lxml | Out of support scope | ||
| Red Hat Enterprise Linux 6 | python-lxml | Out of support scope | ||
| Red Hat Enterprise Linux 7 | python-lxml | Out of support scope | ||
| Red Hat Enterprise Linux 9 | python-lxml | Not affected | ||
| Red Hat OpenStack Platform 10 (Newton) | python-lxml | Out of support scope | ||
| Red Hat OpenStack Platform 13 (Queens) | python-lxml | Will not fix | ||
| Red Hat Enterprise Linux 8 | python27 | Fixed | RHSA-2021:4151 | 09.11.2021 |
| Red Hat Enterprise Linux 8 | python-lxml | Fixed | RHSA-2021:4158 | 09.11.2021 |
| Red Hat Enterprise Linux 8 | python39 | Fixed | RHSA-2021:4160 | 09.11.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.1 Medium
CVSS3
Связанные уязвимости
An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
An XSS vulnerability was discovered in python-lxml's clean module vers ...
EPSS
6.1 Medium
CVSS3