ArchLinux: 202012-1: python-lxml: cross-site scripting
Summary
A cross-site scripting vulnerability was discovered in python-lxml's clean module before version 4.6.2. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.
Resolution
Upgrade to 4.6.2-1.
# pacman -Syu "python-lxml>=4.6.2-1"
The problem has been fixed upstream in version 4.6.2.
References
https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7 https://security.archlinux.org/CVE-2020-27783
Workaround
None.