PyPi: Lxml-Html-Clean

CVE-2024-52595

Safety vulnerability ID: 74230

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Nov 19, 2024 Updated at Nov 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

Affected versions of lxml_html_clean are vulnerable to Cross-Site Scripting (CWE-79). This vulnerability allows attackers to inject malicious scripts within CSS comments in special HTML tags like <svg>, <math>, and <noscript>, potentially executing harmful code in users' browsers. The attack vector involves crafting HTML content that bypasses the sanitizer by exploiting improper handling of CSS comments. To mitigate, upgrade to lxml_html_clean version 0.4.0 or later, or configure the cleaner to remove or restrict context-switching tags such as <svg>, <math>, and <noscript>.

Affected package

lxml-html-clean

Latest version: 0.4.1

HTML cleaner from lxml project

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 6.1

CVSS v3 Details

MEDIUM 6.1

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality Impact (C): LOW
Integrity Impact (I): LOW
Availability Availability (A): NONE