An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
{ "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro", "ubuntu_priority": "medium", "binaries": [ { "python3-lxml-dbg": "3.3.3-1ubuntu0.2+esm3", "python-lxml": "3.3.3-1ubuntu0.2+esm3", "python-lxml-dbg": "3.3.3-1ubuntu0.2+esm3", "python-lxml-dbgsym": "3.3.3-1ubuntu0.2+esm3", "python-lxml-doc": "3.3.3-1ubuntu0.2+esm3", "python3-lxml": "3.3.3-1ubuntu0.2+esm3", "python3-lxml-dbgsym": "3.3.3-1ubuntu0.2+esm3" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "python-lxml": "3.5.0-1ubuntu0.4", "python3-lxml-dbg": "3.5.0-1ubuntu0.4", "python-lxml-doc": "3.5.0-1ubuntu0.4", "python3-lxml": "3.5.0-1ubuntu0.4", "python-lxml-dbg": "3.5.0-1ubuntu0.4" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "python-lxml": "4.2.1-1ubuntu0.4", "python3-lxml-dbg": "4.2.1-1ubuntu0.4", "python-lxml-doc": "4.2.1-1ubuntu0.4", "python3-lxml": "4.2.1-1ubuntu0.4", "python-lxml-dbg": "4.2.1-1ubuntu0.4" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "python-lxml": "4.5.0-1ubuntu0.3", "python3-lxml-dbg": "4.5.0-1ubuntu0.3", "python-lxml-doc": "4.5.0-1ubuntu0.3", "python3-lxml": "4.5.0-1ubuntu0.3", "python-lxml-dbg": "4.5.0-1ubuntu0.3" } ] }