MGASA-2021-0246

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2021-0246.html

Import Source

https://advisories.mageia.org/MGASA-2021-0246.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2021-0246

Related

CVE-2021-28957

Published

2021-06-13T21:32:39Z

Modified

2021-06-13T20:15:50Z

Summary

Updated python-lxml packages fix a security vulnerability

Details

An XSS vulnerability was discovered in python-lxmlâs clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML (CVE-2021-28957).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:8 / python-lxml

Package

Name: python-lxml
Purl: pkg:rpm/mageia/python-lxml?distro=mageia-8

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.6.3-1.mga8

Ecosystem specific

{
    "section": "core"
}

Mageia:7 / python-lxml

Package

Name: python-lxml
Purl: pkg:rpm/mageia/python-lxml?distro=mageia-7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.3.0-1.3.mga7

Ecosystem specific

{
    "section": "core"
}