cve/2021/CVE-2021-28957.md

CVE-2021-28957

Description

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

POC

Reference

• https://www.oracle.com/security-alerts/cpuoct2021.html

Github

No PoCs found on GitHub currently.