Home > Vulnerability Database > CVE-2021-43818

Mend.io Vulnerability Database

CVE-2021-43818

Good to know:

Date: December 13, 2021

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.

Language: Python

Severity Score

8.2

Related Resources (24)

Url: https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0

Url: https://security.gentoo.org/glsa/202208-06

Url: https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44

Url: https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-43818

Url: https://github.com/lxml/lxml

Url: https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/

Url: https://security.netapp.com/advisory/ntap-20220107-0005

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/

Url: https://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2021-852.yaml

Url: https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html

Url: https://security.netapp.com/advisory/ntap-20220107-0005/

Url: https://access.redhat.com/security/cve/CVE-2021-43818

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7

Url: https://www.oracle.com/security-alerts/cpuapr2022.html

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V

Url: https://www.oracle.com/security-alerts/cpujul2022.html

Url: https://www.debian.org/security/2022/dsa-5043

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/

Url: https://www.mend.io/vulnerability-database/CVE-2021-43818

Severity Score

8.2

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Injection

CWE-74

Top Fix

Upgrade Version

Upgrade to version lxml - 4.6.5

Learn More

CVSS v3.1

Base Score:	8.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	6.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-43818

Good to know:

Date: December 13, 2021

Language: Python

Severity Score

Related Resources (24)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?