PYSEC-2020-62

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/lxml/PYSEC-2020-62.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2020-62

Aliases

Published

2020-12-03T17:15:00Z

Modified

2023-11-08T04:03:22.239924Z

Summary

[none]

Details

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

References

Affected packages

PyPI / lxml

Package

Name: lxml; View open source insights on deps.dev
Purl: pkg:pypi/lxml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.2

Fixed

4.6.2

Affected versions

1.*

1.2

1.2.1

1.3beta

1.3

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

2.*

2.0alpha1

2.0alpha2

2.0alpha3

2.0alpha4

2.0alpha5

2.0alpha6

2.0beta1

2.0beta2

2.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.1alpha1

2.1beta1

2.1beta2

2.1beta3

2.1

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.2alpha1

2.2beta1

2.2beta2

2.2beta3

2.2beta4

2.2

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.3alpha1

2.3alpha2

2.3beta1

2.3

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

3.*

3.0

3.0.1

3.0.2

3.1beta1

3.1.0

3.1.1

3.1.2

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.3.0beta1

3.3.0beta2

3.3.0beta3

3.3.0beta4

3.3.0beta5

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.4.0

3.4.1

3.4.2

3.4.3

3.4.4

3.5.0b1

3.5.0

3.6.0

3.6.1

3.6.2

3.6.3

3.6.4

3.7.0

3.7.1

3.7.2

3.7.3

3.8.0

4.*

4.0.0

4.1.0

4.1.1

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.4.0

4.4.1

4.4.2

4.4.3

4.5.0

4.5.1

4.5.2

4.6.0

4.6.1