CVE-2021-43818

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.

Published: Dec 13, 2021
Updated: Nov 8, 2023
CVE: CVE-2021-43818
GHSA: GHSA-55x5-fj6c-h6m8
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
lxml / lxml	-	4.6.5
fedoraproject / fedora	34	34.x
fedoraproject / fedora	35	35.x
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x
debian / debian_linux	11.0	11.0.x
oracle / http_server	12.2.1.3.0	12.2.1.3.0.x
oracle / http_server	12.2.1.4.0	12.2.1.4.0.x
oracle / zfs_storage_appliance_kit	8.8	8.8.x
oracle / communications_cloud_native_core_binding_support_function	22.1.3	22.1.3.x
oracle / communications_cloud_native_core_policy	22.2.0	22.2.0.x
oracle / communications_cloud_native_core_network_exposure_function	22.1.1	22.1.1.x
lxml	-	4.6.5

Vulnerability Database

289,599

CVE-2021-43818