CVE-2020-27783: XSS

Published Oct 18, 2020
·
Updated

A Cross-site Scripting (XSS) vulnerability was found in the python-lxml's clean module. The module's parser did not properly imitate browsers, causing different behaviors between the sanitizer and the user's page. This flaw allows a remote attacker to run arbitrary HTML/JS code. The highest threat from this vulnerability is to confidentiality and integrity.

Other sources

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

Python LXML is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the clean module. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

IBM

The python-lxml package from version 1.2 and before version 4.6.2 is vulnerable to mXSS due to the use of improper parser. The parser used doesn't imitate browsers, which causes different behaviours between the sanitizer and the user's page. This can result in an arbitrary HTML/JS code execution.

References: https://pypi.org/project/lxml/4.6.1/ https://pypi.org/project/lxml/4.6.2/

Upstream patches: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7

Red Hat

Affected Software

24 affected componentsFixes available
redhat/python-lxml<0:4.2.3-2.el8
0:4.2.3-2.el8
redhat/rh-python38-babel<0:2.7.0-12.el7
0:2.7.0-12.el7
redhat/rh-python38-python<0:3.8.11-2.el7
0:3.8.11-2.el7
redhat/rh-python38-python-cryptography<0:2.8-5.el7
0:2.8-5.el7
redhat/rh-python38-python-jinja2<0:2.10.3-6.el7
0:2.10.3-6.el7
redhat/rh-python38-python-lxml<0:4.4.1-7.el7
0:4.4.1-7.el7
redhat/rh-python38-python-pip<0:19.3.1-2.el7
0:19.3.1-2.el7
redhat/rh-python38-python-urllib3<0:1.25.7-7.el7
0:1.25.7-7.el7
debian/lxml
4.3.2-1+deb10u44.6.3+dfsg-0.1+deb11u14.9.2-14.9.3-1
redhat/lxml<4.6.2
4.6.2
pip/lxml<4.6.2
4.6.2
IBM Cloud Pak for Security (CP4S)<=1.7.2.0
IBM Cloud Pak for Security (CP4S)<=1.7.1.0
IBM Cloud Pak for Security (CP4S)<=1.7.0.0
lxml lxml>=1.2<4.6.2
redhat Software Collections
redhat Enterprise Linux=8.0
Debian Debian Linux=9.0
Debian Debian Linux=10.0
Fedoraproject Fedora=32
Fedoraproject Fedora=33
NetApp Snapcenter
Oracle Communications Offline Mediation Controller=12.0.0.3.0
Oracle ZFS Storage Appliance Kit=8.8

Remediation

Patch Available

https://bugzilla.redhat.com/show_bug.cgi?id=1901633

Patch Available

https://www.oracle.com//security-alerts/cpujul2021.html

Event History

Oct 18, 2020
CVE Published
12:00 AM
Dec 3, 2020
CVE Published
via MITRE·04:39 PM
Data Sourced
via MITRE·04:39 PM
DescriptionWeakness
Data Sourced
via NVD·05:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Jan 7, 2021
Advisory Published
via GitHub·09:54 PM

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2020-27783?

CVE-2020-27783 is a Cross-site Scripting (XSS) vulnerability found in the python-lxml's clean module.

2

How does CVE-2020-27783 work?

CVE-2020-27783 allows a remote attacker to run arbitrary HTML/JS code by exploiting the improper imitation of browsers in the module's parser.

3

What is the severity of CVE-2020-27783?

The severity of CVE-2020-27783 is medium with a CVSS score of 6.1.

4

Which software packages are affected by CVE-2020-27783?

The python-lxml package version 0:4.2.3-2.el8 and the following rh-python38 packages are affected: rh-python38-babel, rh-python38-python, rh-python38-python-cryptography, rh-python38-python-jinja2, rh-python38-python-lxml, rh-python38-python-pip, rh-python38-python-urllib3.

5

How can I fix CVE-2020-27783?

To fix CVE-2020-27783, upgrade the python-lxml package to version 4.6.2 or higher and ensure the affected rh-python38 packages are updated to the fixed versions provided by Red Hat.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203