What Are You Looking For?

Popular Tags

Sign Up
MGASA-2021-0246 - Updated python-lxml packages fix a security vulnerability

Publication date: 13 Jun 2021
URL: https://advisories.mageia.org/MGASA-2021-0246.html
Type: security
Affected Mageia releases: 7, 8
CVE: CVE-2021-28957

An XSS vulnerability was discovered in python-lxml’s clean module 
versions before 4.6.3. When disabling the safe_attrs_only and forms 
arguments, the Cleaner class does not remove the formaction attribute 
allowing for JS to bypass the sanitizer. A remote attacker could exploit this 
flaw to run arbitrary JS code on users who interact with incorrectly 
sanitized HTML (CVE-2021-28957).

References:
- https://bugs.mageia.org/show_bug.cgi?id=28983
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/
- https://www.debian.org/security/2021/dsa-4880
- https://ubuntu.com/security/notices/USN-4896-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957

SRPMS:
- 8/core/python-lxml-4.6.3-1.mga8
- 7/core/python-lxml-4.3.0-1.3.mga7

Mageia 2021-0246: python-lxml security update

An XSS vulnerability was discovered in python-lxml’s clean module versions before 4.6.3

Summary

An XSS vulnerability was discovered in python-lxml’s clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML (CVE-2021-28957).

References

- https://bugs.mageia.org/show_bug.cgi?id=28983

- https://lists.fedoraproject.org/archives/list/[email protected]/thread/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/

- https://www.debian.org/security/2021/dsa-4880

- https://ubuntu.com/security/notices/USN-4896-1

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957

Resolution

MGASA-2021-0246 - Updated python-lxml packages fix a security vulnerability

SRPMS

- 8/core/python-lxml-4.6.3-1.mga8

- 7/core/python-lxml-4.3.0-1.3.mga7

Severity
Publication date: 13 Jun 2021
URL: https://advisories.mageia.org/MGASA-2021-0246.html
Type: security
CVE: CVE-2021-28957

Related News

Mitigations for Critical c-ares DoS, Code Execution Bug Released

Sep 17, 2023

Critical Zero-Day Heap Buffer Overflow Vuln Fixed in Firefox, Thunderbird

Sep 23, 2023

Critical OpenDMARC DoS Bug Fixed

Sep 22, 2023

Critical BusyBox Stack Overflow Vuln Fixed

Sep 22, 2023

News

Advisories

HOWTOs

Features

Everything You Need to Know About Linux Proxy Servers
Simple Steps for Identifying & Troubleshooting a Kernel Panic
Linux Endpoint Detection and Response (EDR): A Crucial Part of a Successful Cybersecurity Strategy
Supercharging Linux: Tips & Tricks to Beat the Threat Landscape
LinuxSecurity.com Migrates to Joomla 4 and PHP 8: Our Experience & Key Takeaways

About Us

Powered By

Footer Logo

Feedback