CVE-2021-28957: XSS

Published Mar 21, 2021
·
Updated

A flaw was found in python-lxml. The HTML5 formaction attribute is not input sanitized like the HTML action attribute is which can lead to a Cross-Site Scripting attack (XSS) when an application uses python-lxml to sanitize user inputs. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Other sources

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

An XSS vulnerability was discovered in the python lxml clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

GitHub

lxml 4.6.2 allows XSS. It places the HTML action attribute into defs.linkattrs (in html/defs.py) for later use in input sanitization, but does not do the same for the HTML5 formaction attribute.

Reference:

https://bugs.launchpad.net/lxml/+bug/1888153

Red Hat

Affected Software

19 affected componentsFixes available
redhat/python-lxml<0:4.2.3-3.el8
0:4.2.3-3.el8
redhat/rh-python38-babel<0:2.7.0-12.el7
0:2.7.0-12.el7
redhat/rh-python38-python<0:3.8.11-2.el7
0:3.8.11-2.el7
redhat/rh-python38-python-cryptography<0:2.8-5.el7
0:2.8-5.el7
redhat/rh-python38-python-jinja2<0:2.10.3-6.el7
0:2.10.3-6.el7
redhat/rh-python38-python-lxml<0:4.4.1-7.el7
0:4.4.1-7.el7
redhat/rh-python38-python-pip<0:19.3.1-2.el7
0:19.3.1-2.el7
redhat/rh-python38-python-urllib3<0:1.25.7-7.el7
0:1.25.7-7.el7
debian/lxml
4.3.2-1+deb10u44.6.3+dfsg-0.1+deb11u14.9.2-14.9.3-1
debian/lxml<=4.3.2-1+deb10u2, <=4.3.2-1, <=4.6.2-1
4.6.3-14.3.2-1+deb10u3
redhat/python-lxml<4.6.3
4.6.3
pip/lxml<4.6.3
4.6.3
lxml lxml<4.6.3
Debian Debian Linux=9.0
Debian Debian Linux=10.0
Fedoraproject Fedora=33
Fedoraproject Fedora=34
NetApp Snapcenter
Oracle ZFS Storage Appliance Kit=8.8

Remediation

Patch Available

https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999

Patch Available

https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270

Patch Available

https://www.oracle.com/security-alerts/cpuoct2021.html

Event History

Mar 21, 2021
CVE Published
12:00 AM
CVE Published
via MITRE·04:39 AM
Data Sourced
via MITRE·04:39 AM
Description
Data Sourced
via NVD·05:15 AM
RemedyDescriptionSeverityWeaknessAffected Software
Mar 22, 2021
Advisory Published
04:53 PM

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2021-28957?

CVE-2021-28957 is an XSS vulnerability in the python `lxml` clean module versions before 4.6.3.

2

How does CVE-2021-28957 work?

CVE-2021-28957 allows a remote attacker to bypass the sanitizer by exploiting the `formaction` attribute in the HTML5 form.

3

Which software versions are affected by CVE-2021-28957?

The python `lxml` clean module versions before 4.6.3 are affected by CVE-2021-28957.

4

What is the severity of CVE-2021-28957?

CVE-2021-28957 has a severity rating of 6.1 (high).

5

How can CVE-2021-28957 be fixed?

To fix CVE-2021-28957, upgrade to python `lxml` clean module version 4.6.3 or later.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203