Security Advisory

CVE-2021-28957

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2021-03-21 04:39:35

Last updated 2025-12-17 21:31:43

Assigner mitre

State PUBLISHED

Description

An XSS vulnerability was discovered in python-lxmls clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

← Browse all CVEs View on cve.org ↗