GHSA-55x5-fj6c-h6m8

Source

https://github.com/advisories/GHSA-55x5-fj6c-h6m8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-55x5-fj6c-h6m8/GHSA-55x5-fj6c-h6m8.json

Aliases

CVE-2021-43818

Published

2021-12-13T18:14:36Z

Modified

2024-02-16T08:23:04.061539Z

Summary

lxml's HTML Cleaner allows crafted and SVG embedded scripts to pass through

Details

Impact

The HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs.

Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5.

Patches

The issue has been resolved in lxml 4.6.5.

Workarounds

None.

References

The issues are tracked under the report IDs GHSL-2021-1037 and GHSL-2021-1038.

References

Affected packages

PyPI / lxml

Package

Name: lxml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

4.6.5

Affected versions

1.*

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

2.*

2.0

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.1

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.2

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.3

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

3.*

3.0

3.0.2

3.1.0

3.1.1

3.1.2

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.4.0

3.4.1

3.4.2

3.4.3

3.4.4

3.5.0

3.6.0

3.6.1

3.6.2

3.6.3

3.6.4

3.7.0

3.7.1

3.7.2

3.7.3

3.8.0

4.*

4.0.0

4.1.0

4.1.1

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.3.0

4.3.2

4.3.3

4.3.4

4.3.5

4.4.0

4.4.1

4.4.2

4.4.3

4.5.0

4.5.1

4.5.2

4.6.0

4.6.1

4.6.2

4.6.3

4.6.4