{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-10T05:06:44.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugs.launchpad.net/lxml/+bug/1888153"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270"}, {"name": "[debian-lts-announce] 20210324 [SECURITY] [DLA 2606-1] lxml security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html"}, {"name": "DSA-4880", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4880"}, {"name": "FEDORA-2021-28723f9670", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/"}, {"name": "FEDORA-2021-4cdb0f68c7", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210521-0004/"}, {"name": "GLSA-202208-06", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202208-06"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-28957", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bugs.launchpad.net/lxml/+bug/1888153", "refsource": "MISC", "url": "https://bugs.launchpad.net/lxml/+bug/1888153"}, {"name": "https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270", "refsource": "MISC", "url": "https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270"}, {"name": "[debian-lts-announce] 20210324 [SECURITY] [DLA 2606-1] lxml security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html"}, {"name": "DSA-4880", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4880"}, {"name": "FEDORA-2021-28723f9670", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/"}, {"name": "FEDORA-2021-4cdb0f68c7", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"name": "https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999", "refsource": "MISC", "url": "https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999"}, {"name": "https://security.netapp.com/advisory/ntap-20210521-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210521-0004/"}, {"name": "GLSA-202208-06", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-06"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T21:55:12.376Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.launchpad.net/lxml/+bug/1888153"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270"}, {"name": "[debian-lts-announce] 20210324 [SECURITY] [DLA 2606-1] lxml security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html"}, {"name": "DSA-4880", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4880"}, {"name": "FEDORA-2021-28723f9670", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/"}, {"name": "FEDORA-2021-4cdb0f68c7", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210521-0004/"}, {"name": "GLSA-202208-06", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202208-06"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-12-17T21:31:40.372887Z", "id": "CVE-2021-28957", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T21:31:43.446Z"}}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-28957", "datePublished": "2021-03-21T04:39:35.000Z", "dateReserved": "2021-03-21T00:00:00.000Z", "dateUpdated": "2025-12-17T21:31:43.446Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://bugs.launchpad.net/lxml/+bug/1888153", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html", "name": "[debian-lts-announce] 20210324 [SECURITY] [DLA 2606-1] lxml security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://www.debian.org/security/2021/dsa-4880", "name": "DSA-4880", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/", "name": "FEDORA-2021-28723f9670", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/", "name": "FEDORA-2021-4cdb0f68c7", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20210521-0004/", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202208-06", "name": "GLSA-202208-06", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T21:55:12.376Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2021-28957", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-17T21:31:40.372887Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T21:31:20.854Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://bugs.launchpad.net/lxml/+bug/1888153", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270", "tags": ["x_refsource_MISC"]}, {"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html", "name": "[debian-lts-announce] 20210324 [SECURITY] [DLA 2606-1] lxml security update", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://www.debian.org/security/2021/dsa-4880", "name": "DSA-4880", "tags": ["vendor-advisory", "x_refsource_DEBIAN"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/", "name": "FEDORA-2021-28723f9670", "tags": ["vendor-advisory", "x_refsource_FEDORA"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/", "name": "FEDORA-2021-4cdb0f68c7", "tags": ["vendor-advisory", "x_refsource_FEDORA"]}, {"url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999", "tags": ["x_refsource_MISC"]}, {"url": "https://security.netapp.com/advisory/ntap-20210521-0004/", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://security.gentoo.org/glsa/202208-06", "name": "GLSA-202208-06", "tags": ["vendor-advisory", "x_refsource_GENTOO"]}], "descriptions": [{"lang": "en", "value": "An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-08-10T05:06:44.000Z"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "n/a"}]}, "product_name": "n/a"}]}, "vendor_name": "n/a"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://bugs.launchpad.net/lxml/+bug/1888153", "name": "https://bugs.launchpad.net/lxml/+bug/1888153", "refsource": "MISC"}, {"url": "https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270", "name": "https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270", "refsource": "MISC"}, {"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html", "name": "[debian-lts-announce] 20210324 [SECURITY] [DLA 2606-1] lxml security update", "refsource": "MLIST"}, {"url": "https://www.debian.org/security/2021/dsa-4880", "name": "DSA-4880", "refsource": "DEBIAN"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/", "name": "FEDORA-2021-28723f9670", "refsource": "FEDORA"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/", "name": "FEDORA-2021-4cdb0f68c7", "refsource": "FEDORA"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC"}, {"url": "https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999", "name": "https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999", "refsource": "MISC"}, {"url": "https://security.netapp.com/advisory/ntap-20210521-0004/", "name": "https://security.netapp.com/advisory/ntap-20210521-0004/", "refsource": "CONFIRM"}, {"url": "https://security.gentoo.org/glsa/202208-06", "name": "GLSA-202208-06", "refsource": "GENTOO"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-28957", "STATE": "PUBLIC", "ASSIGNER": "cve@mitre.org"}}}}, "cveMetadata": {"cveId": "CVE-2021-28957", "state": "PUBLISHED", "dateUpdated": "2025-12-17T21:31:43.446Z", "dateReserved": "2021-03-21T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2021-03-21T04:39:35.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lxml:lxml:*:*:*:*:*:*:*:*", "matchCriteriaId": "2BADE2D9-D321-4DB0-839C-EB11673439DD", "versionEndExcluding": "4.6.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", "matchCriteriaId": "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", "matchCriteriaId": "D3E503FB-6279-4D4A-91D8-E237ECF9D2B0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3."}, {"lang": "es", "value": "Se ha descubierto una vulnerabilidad XSS en las versiones del m\u00f3dulo clean de python-lxml anteriores a la versi\u00f3n 4.6.3. Al desactivar los argumentos safe_attrs_only y forms, la clase Cleaner no elimina el atributo formaction, lo que permite que JS eluda el sanitizador. Un atacante remoto podr\u00eda aprovechar este fallo para ejecutar c\u00f3digo JS arbitrario en usuarios que interact\u00faen con HTML incorrectamente saneado. Este problema est\u00e1 parcheado en lxml versi\u00f3n 4.6.3"}], "id": "CVE-2021-28957", "lastModified": "2025-12-17T22:15:56.740", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2021-03-21T05:15:13.367", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://bugs.launchpad.net/lxml/+bug/1888153"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-06"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210521-0004/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4880"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://bugs.launchpad.net/lxml/+bug/1888153"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXN3QPWCTQVOGW4BMWV3AUUZZ4NRZNSQ/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-06"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210521-0004/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4880"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2021:4151", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python27:2.7-8050020210811095446.3e7ace8b", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4158", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python-lxml-0:4.2.3-3.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4160", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python39:3.9-8050020210811100211.d428a79b", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4160", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python39-devel:3.9-8050020210811100211.d428a79b", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4162", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python38:3.8-8050020210811101222.e3d35cca", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4162", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python38-devel:3.8-8050020210811101222.e3d35cca", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-babel-0:2.7.0-12.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-0:3.8.11-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-cryptography-0:2.8-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-jinja2-0:2.10.3-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-lxml-0:4.4.1-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-pip-0:19.3.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-urllib3-0:1.25.7-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-babel-0:2.7.0-12.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-0:3.8.11-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-cryptography-0:2.8-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-jinja2-0:2.10.3-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-lxml-0:4.4.1-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-pip-0:19.3.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-urllib3-0:1.25.7-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}], "bugzilla": {"description": "python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS", "id": "1941534", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1941534"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-79", "details": ["An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.", "A flaw was found in python-lxml. The HTML5 formaction attribute is not input sanitized like the HTML action attribute is which can lead to a Cross-Site Scripting attack (XSS) when an application uses python-lxml to sanitize user inputs. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "name": "CVE-2021-28957", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Affected", "impact": "low", "package_name": "lxml", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_tower:3", "fix_state": "Out of support scope", "impact": "low", "package_name": "lxml", "product_name": "Red Hat Ansible Tower 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "python-lxml", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "python-lxml", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python-lxml", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "python-lxml", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "package_name": "python-lxml", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}], "public_date": "2021-03-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-28957\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-28957"], "statement": "Web applications vulnerable to this flaw, where a XSS attack can be accomplished, are only those that use python-lxml to sanitize HTML input and that allow user data to be placed in the \"formaction\" attribute of a form button.\nIn Red Hat OpenStack Platform, because the flaw has a lower impact and the package is unlikely to be exploited in the RHOSP environment, no update will be provided at this time for the RHOSP python-lxml package.\nFor Ansible Tower and Ansible Automation Platform, Lowering the impact from Moderate to Low as the vulnerable function i.e. lxml HTML Cleaner and the vulnerable attribute i.e. HTML FormAction are not being used.", "threat_severity": "Moderate"}

{}