CVE-2020-27783
python-lxml: mXSS due to the use of improper parser
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.
Se detectó una vulnerabilidad de tipo XSS en el módulo de limpieza de python-lxml. El analizador del módulo no imitaba apropiadamente los navegadores, lo que causaba comportamientos diferentes entre el sanitizador y la página del usuario. Un atacante remoto podría explotar este fallo para ejecutar código HTML/JS arbitrario
A Cross-site Scripting (XSS) vulnerability was found in the python-lxml's clean module. The module's parser did not properly imitate browsers, causing different behaviors between the sanitizer and the user's page. This flaw allows a remote attacker to run arbitrary HTML/JS code. The highest threat from this vulnerability is to confidentiality and integrity.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-10-27 CVE Reserved
- 2020-12-03 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2024-11-09 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (9)
URL | Tag | Source |
---|---|---|
https://lists.debian.org/debian-lts-announce/2020/12/msg00028.html | Mailing List | |
https://security.netapp.com/advisory/ntap-20210521-0003 | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://advisory.checkmarx.net/advisory/CX-2020-4286 | 2024-08-04 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1901633 | 2024-08-04 |
URL | Date | SRC |
---|---|---|
https://www.oracle.com//security-alerts/cpujul2021.html | 2023-11-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Lxml Search vendor "Lxml" | Lxml Search vendor "Lxml" for product "Lxml" | >= 1.2 < 4.6.2 Search vendor "Lxml" for product "Lxml" and version " >= 1.2 < 4.6.2" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Software Collections Search vendor "Redhat" for product "Software Collections" | - | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Snapcenter Search vendor "Netapp" for product "Snapcenter" | - | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller" | 12.0.0.3.0 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version "12.0.0.3.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Zfs Storage Appliance Kit Search vendor "Oracle" for product "Zfs Storage Appliance Kit" | 8.8 Search vendor "Oracle" for product "Zfs Storage Appliance Kit" and version "8.8" | - |
Affected
|