1. Home
  2. Security Advisories
  3. Python (PyPI)
  4. PYSEC-2021-19

[PYSEC-2021-19] lxml vulnerability

Severity Medium
Affected Packages 147
Fixed Packages 1
CVEs 1
Info Packages References Vulnerabilities

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

Package Affected Version
pkg:pypi/lxml >= 0.0, < 4.6.3
pkg:pypi/lxml = 0.9
pkg:pypi/lxml = 0.9.1
pkg:pypi/lxml = 0.9.2
pkg:pypi/lxml = 1.0.beta
pkg:pypi/lxml = 1.0
pkg:pypi/lxml = 1.0.1
pkg:pypi/lxml = 1.0.2
pkg:pypi/lxml = 1.0.3
pkg:pypi/lxml = 1.0.4
pkg:pypi/lxml = 1.1alpha
pkg:pypi/lxml = 1.1beta
pkg:pypi/lxml = 1.1
pkg:pypi/lxml = 1.1.1
pkg:pypi/lxml = 1.1.2
pkg:pypi/lxml = 1.2
pkg:pypi/lxml = 1.2.1
pkg:pypi/lxml = 1.3beta
pkg:pypi/lxml = 1.3
pkg:pypi/lxml = 1.3.1
pkg:pypi/lxml = 1.3.2
pkg:pypi/lxml = 1.3.3
pkg:pypi/lxml = 1.3.4
pkg:pypi/lxml = 1.3.5
pkg:pypi/lxml = 1.3.6
pkg:pypi/lxml = 2.0alpha1
pkg:pypi/lxml = 2.0alpha2
pkg:pypi/lxml = 2.0alpha3
pkg:pypi/lxml = 2.0alpha4
pkg:pypi/lxml = 2.0alpha5
pkg:pypi/lxml = 2.0alpha6
pkg:pypi/lxml = 2.0beta1
pkg:pypi/lxml = 2.0beta2
pkg:pypi/lxml = 2.0
pkg:pypi/lxml = 2.0.1
pkg:pypi/lxml = 2.0.2
pkg:pypi/lxml = 2.0.3
pkg:pypi/lxml = 2.0.4
pkg:pypi/lxml = 2.0.5
pkg:pypi/lxml = 2.0.6
pkg:pypi/lxml = 2.0.7
pkg:pypi/lxml = 2.0.8
pkg:pypi/lxml = 2.0.9
pkg:pypi/lxml = 2.0.10
pkg:pypi/lxml = 2.0.11
pkg:pypi/lxml = 2.1alpha1
pkg:pypi/lxml = 2.1beta1
pkg:pypi/lxml = 2.1beta2
pkg:pypi/lxml = 2.1beta3
pkg:pypi/lxml = 2.1
pkg:pypi/lxml = 2.1.1
pkg:pypi/lxml = 2.1.2
pkg:pypi/lxml = 2.1.3
pkg:pypi/lxml = 2.1.4
pkg:pypi/lxml = 2.1.5
pkg:pypi/lxml = 2.2alpha1
pkg:pypi/lxml = 2.2beta1
pkg:pypi/lxml = 2.2beta2
pkg:pypi/lxml = 2.2beta3
pkg:pypi/lxml = 2.2beta4
pkg:pypi/lxml = 2.2
pkg:pypi/lxml = 2.2.1
pkg:pypi/lxml = 2.2.2
pkg:pypi/lxml = 2.2.3
pkg:pypi/lxml = 2.2.4
pkg:pypi/lxml = 2.2.5
pkg:pypi/lxml = 2.2.6
pkg:pypi/lxml = 2.2.7
pkg:pypi/lxml = 2.2.8
pkg:pypi/lxml = 2.3alpha1
pkg:pypi/lxml = 2.3alpha2
pkg:pypi/lxml = 2.3beta1
pkg:pypi/lxml = 2.3
pkg:pypi/lxml = 2.3.1
pkg:pypi/lxml = 2.3.2
pkg:pypi/lxml = 2.3.3
pkg:pypi/lxml = 2.3.4
pkg:pypi/lxml = 2.3.5
pkg:pypi/lxml = 2.3.6
pkg:pypi/lxml = 3.0
pkg:pypi/lxml = 3.0.1
pkg:pypi/lxml = 3.0.2
pkg:pypi/lxml = 3.1beta1
pkg:pypi/lxml = 3.1.0
pkg:pypi/lxml = 3.1.1
pkg:pypi/lxml = 3.1.2
pkg:pypi/lxml = 3.2.0
pkg:pypi/lxml = 3.2.1
pkg:pypi/lxml = 3.2.2
pkg:pypi/lxml = 3.2.3
pkg:pypi/lxml = 3.2.4
pkg:pypi/lxml = 3.2.5
pkg:pypi/lxml = 3.3.0beta1
pkg:pypi/lxml = 3.3.0beta2
pkg:pypi/lxml = 3.3.0beta3
pkg:pypi/lxml = 3.3.0beta4
pkg:pypi/lxml = 3.3.0beta5
pkg:pypi/lxml = 3.3.0
pkg:pypi/lxml = 3.3.1
pkg:pypi/lxml = 3.3.2
pkg:pypi/lxml = 3.3.3
pkg:pypi/lxml = 3.3.4
pkg:pypi/lxml = 3.3.5
pkg:pypi/lxml = 3.3.6
pkg:pypi/lxml = 3.4.0
pkg:pypi/lxml = 3.4.1
pkg:pypi/lxml = 3.4.2
pkg:pypi/lxml = 3.4.3
pkg:pypi/lxml = 3.4.4
pkg:pypi/lxml = 3.5.0b1
pkg:pypi/lxml = 3.5.0
pkg:pypi/lxml = 3.6.0
pkg:pypi/lxml = 3.6.1
pkg:pypi/lxml = 3.6.2
pkg:pypi/lxml = 3.6.3
pkg:pypi/lxml = 3.6.4
pkg:pypi/lxml = 3.7.0
pkg:pypi/lxml = 3.7.1
pkg:pypi/lxml = 3.7.2
pkg:pypi/lxml = 3.7.3
pkg:pypi/lxml = 3.8.0
pkg:pypi/lxml = 4.0.0
pkg:pypi/lxml = 4.1.0
pkg:pypi/lxml = 4.1.1
pkg:pypi/lxml = 4.2.0
pkg:pypi/lxml = 4.2.1
pkg:pypi/lxml = 4.2.2
pkg:pypi/lxml = 4.2.3
pkg:pypi/lxml = 4.2.4
pkg:pypi/lxml = 4.2.5
pkg:pypi/lxml = 4.2.6
pkg:pypi/lxml = 4.3.0
pkg:pypi/lxml = 4.3.1
pkg:pypi/lxml = 4.3.2
pkg:pypi/lxml = 4.3.3
pkg:pypi/lxml = 4.3.4
pkg:pypi/lxml = 4.3.5
pkg:pypi/lxml = 4.4.0
pkg:pypi/lxml = 4.4.1
pkg:pypi/lxml = 4.4.2
pkg:pypi/lxml = 4.4.3
pkg:pypi/lxml = 4.5.0
pkg:pypi/lxml = 4.5.1
pkg:pypi/lxml = 4.5.2
pkg:pypi/lxml = 4.6.0
pkg:pypi/lxml = 4.6.1
pkg:pypi/lxml = 4.6.2
Package Fixed Version
pkg:pypi/lxml = 4.6.3
ID
PYSEC-2021-19
Severity
medium
Severity from
CVE-2021-28957
URL
https://github.com/advisories/GHSA-jq4v-f5q6-mjqq
Published
2021-03-21T05:15:00
(3 years ago)
Modified
2021-03-30T18:47:00
(3 years ago)
Other Advisories
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Fixed pkg:pypi/lxml lxml = 4.6.3
Affected pkg:pypi/lxml lxml >= 0.0 < 4.6.3
Affected pkg:pypi/lxml lxml = 0.9
Affected pkg:pypi/lxml lxml = 0.9.1
Affected pkg:pypi/lxml lxml = 0.9.2
Affected pkg:pypi/lxml lxml = 1.0.beta
Affected pkg:pypi/lxml lxml = 1.0
Affected pkg:pypi/lxml lxml = 1.0.1
Affected pkg:pypi/lxml lxml = 1.0.2
Affected pkg:pypi/lxml lxml = 1.0.3
Affected pkg:pypi/lxml lxml = 1.0.4
Affected pkg:pypi/lxml lxml = 1.1alpha
Affected pkg:pypi/lxml lxml = 1.1beta
Affected pkg:pypi/lxml lxml = 1.1
Affected pkg:pypi/lxml lxml = 1.1.1
Affected pkg:pypi/lxml lxml = 1.1.2
Affected pkg:pypi/lxml lxml = 1.2
Affected pkg:pypi/lxml lxml = 1.2.1
Affected pkg:pypi/lxml lxml = 1.3beta
Affected pkg:pypi/lxml lxml = 1.3
Affected pkg:pypi/lxml lxml = 1.3.1
Affected pkg:pypi/lxml lxml = 1.3.2
Affected pkg:pypi/lxml lxml = 1.3.3
Affected pkg:pypi/lxml lxml = 1.3.4
Affected pkg:pypi/lxml lxml = 1.3.5
Affected pkg:pypi/lxml lxml = 1.3.6
Affected pkg:pypi/lxml lxml = 2.0alpha1
Affected pkg:pypi/lxml lxml = 2.0alpha2
Affected pkg:pypi/lxml lxml = 2.0alpha3
Affected pkg:pypi/lxml lxml = 2.0alpha4
Affected pkg:pypi/lxml lxml = 2.0alpha5
Affected pkg:pypi/lxml lxml = 2.0alpha6
Affected pkg:pypi/lxml lxml = 2.0beta1
Affected pkg:pypi/lxml lxml = 2.0beta2
Affected pkg:pypi/lxml lxml = 2.0
Affected pkg:pypi/lxml lxml = 2.0.1
Affected pkg:pypi/lxml lxml = 2.0.2
Affected pkg:pypi/lxml lxml = 2.0.3
Affected pkg:pypi/lxml lxml = 2.0.4
Affected pkg:pypi/lxml lxml = 2.0.5
Affected pkg:pypi/lxml lxml = 2.0.6
Affected pkg:pypi/lxml lxml = 2.0.7
Affected pkg:pypi/lxml lxml = 2.0.8
Affected pkg:pypi/lxml lxml = 2.0.9
Affected pkg:pypi/lxml lxml = 2.0.10
Affected pkg:pypi/lxml lxml = 2.0.11
Affected pkg:pypi/lxml lxml = 2.1alpha1
Affected pkg:pypi/lxml lxml = 2.1beta1
Affected pkg:pypi/lxml lxml = 2.1beta2
Affected pkg:pypi/lxml lxml = 2.1beta3
Affected pkg:pypi/lxml lxml = 2.1
Affected pkg:pypi/lxml lxml = 2.1.1
Affected pkg:pypi/lxml lxml = 2.1.2
Affected pkg:pypi/lxml lxml = 2.1.3
Affected pkg:pypi/lxml lxml = 2.1.4
Affected pkg:pypi/lxml lxml = 2.1.5
Affected pkg:pypi/lxml lxml = 2.2alpha1
Affected pkg:pypi/lxml lxml = 2.2beta1
Affected pkg:pypi/lxml lxml = 2.2beta2
Affected pkg:pypi/lxml lxml = 2.2beta3
Affected pkg:pypi/lxml lxml = 2.2beta4
Affected pkg:pypi/lxml lxml = 2.2
Affected pkg:pypi/lxml lxml = 2.2.1
Affected pkg:pypi/lxml lxml = 2.2.2
Affected pkg:pypi/lxml lxml = 2.2.3
Affected pkg:pypi/lxml lxml = 2.2.4
Affected pkg:pypi/lxml lxml = 2.2.5
Affected pkg:pypi/lxml lxml = 2.2.6
Affected pkg:pypi/lxml lxml = 2.2.7
Affected pkg:pypi/lxml lxml = 2.2.8
Affected pkg:pypi/lxml lxml = 2.3alpha1
Affected pkg:pypi/lxml lxml = 2.3alpha2
Affected pkg:pypi/lxml lxml = 2.3beta1
Affected pkg:pypi/lxml lxml = 2.3
Affected pkg:pypi/lxml lxml = 2.3.1
Affected pkg:pypi/lxml lxml = 2.3.2
Affected pkg:pypi/lxml lxml = 2.3.3
Affected pkg:pypi/lxml lxml = 2.3.4
Affected pkg:pypi/lxml lxml = 2.3.5
Affected pkg:pypi/lxml lxml = 2.3.6
Affected pkg:pypi/lxml lxml = 3.0
Affected pkg:pypi/lxml lxml = 3.0.1
Affected pkg:pypi/lxml lxml = 3.0.2
Affected pkg:pypi/lxml lxml = 3.1beta1
Affected pkg:pypi/lxml lxml = 3.1.0
Affected pkg:pypi/lxml lxml = 3.1.1
Affected pkg:pypi/lxml lxml = 3.1.2
Affected pkg:pypi/lxml lxml = 3.2.0
Affected pkg:pypi/lxml lxml = 3.2.1
Affected pkg:pypi/lxml lxml = 3.2.2
Affected pkg:pypi/lxml lxml = 3.2.3
Affected pkg:pypi/lxml lxml = 3.2.4
Affected pkg:pypi/lxml lxml = 3.2.5
Affected pkg:pypi/lxml lxml = 3.3.0beta1
Affected pkg:pypi/lxml lxml = 3.3.0beta2
Affected pkg:pypi/lxml lxml = 3.3.0beta3
Affected pkg:pypi/lxml lxml = 3.3.0beta4
Affected pkg:pypi/lxml lxml = 3.3.0beta5
Affected pkg:pypi/lxml lxml = 3.3.0
Affected pkg:pypi/lxml lxml = 3.3.1
Affected pkg:pypi/lxml lxml = 3.3.2
Affected pkg:pypi/lxml lxml = 3.3.3
Affected pkg:pypi/lxml lxml = 3.3.4
Affected pkg:pypi/lxml lxml = 3.3.5
Affected pkg:pypi/lxml lxml = 3.3.6
Affected pkg:pypi/lxml lxml = 3.4.0
Affected pkg:pypi/lxml lxml = 3.4.1
Affected pkg:pypi/lxml lxml = 3.4.2
Affected pkg:pypi/lxml lxml = 3.4.3
Affected pkg:pypi/lxml lxml = 3.4.4
Affected pkg:pypi/lxml lxml = 3.5.0b1
Affected pkg:pypi/lxml lxml = 3.5.0
Affected pkg:pypi/lxml lxml = 3.6.0
Affected pkg:pypi/lxml lxml = 3.6.1
Affected pkg:pypi/lxml lxml = 3.6.2
Affected pkg:pypi/lxml lxml = 3.6.3
Affected pkg:pypi/lxml lxml = 3.6.4
Affected pkg:pypi/lxml lxml = 3.7.0
Affected pkg:pypi/lxml lxml = 3.7.1
Affected pkg:pypi/lxml lxml = 3.7.2
Affected pkg:pypi/lxml lxml = 3.7.3
Affected pkg:pypi/lxml lxml = 3.8.0
Affected pkg:pypi/lxml lxml = 4.0.0
Affected pkg:pypi/lxml lxml = 4.1.0
Affected pkg:pypi/lxml lxml = 4.1.1
Affected pkg:pypi/lxml lxml = 4.2.0
Affected pkg:pypi/lxml lxml = 4.2.1
Affected pkg:pypi/lxml lxml = 4.2.2
Affected pkg:pypi/lxml lxml = 4.2.3
Affected pkg:pypi/lxml lxml = 4.2.4
Affected pkg:pypi/lxml lxml = 4.2.5
Affected pkg:pypi/lxml lxml = 4.2.6
Affected pkg:pypi/lxml lxml = 4.3.0
Affected pkg:pypi/lxml lxml = 4.3.1
Affected pkg:pypi/lxml lxml = 4.3.2
Affected pkg:pypi/lxml lxml = 4.3.3
Affected pkg:pypi/lxml lxml = 4.3.4
Affected pkg:pypi/lxml lxml = 4.3.5
Affected pkg:pypi/lxml lxml = 4.4.0
Affected pkg:pypi/lxml lxml = 4.4.1
Affected pkg:pypi/lxml lxml = 4.4.2
Affected pkg:pypi/lxml lxml = 4.4.3
Affected pkg:pypi/lxml lxml = 4.5.0
Affected pkg:pypi/lxml lxml = 4.5.1
Affected pkg:pypi/lxml lxml = 4.5.2
Affected pkg:pypi/lxml lxml = 4.6.0
Affected pkg:pypi/lxml lxml = 4.6.1
Affected pkg:pypi/lxml lxml = 4.6.2
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date