VulnerableCode Package Details - pkg:pypi/lxml@1.1b0

Search for packages

Vulnerability	Summary	Fixed by
VCID-a4yj-hfep-aaaq Aliases: CVE-2014-3146 GHSA-57qw-cc2g-pv5p PYSEC-2014-9	Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.	3.3.5 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-cah8-awtr-aaad Aliases: CVE-2018-19787 GHSA-xp26-p53h-6h2p PYSEC-2018-12	An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.	4.2.5 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-gufu-nks1-aaag Aliases: CVE-2022-2309 GHSA-wrxv-2j5q-m38w PYSEC-2022-230	NULL Pointer Dereference in lxml	4.9.1 Affected by 0 other vulnerabilities.
VCID-jq1x-31sj-aaas Aliases: CVE-2021-28957 GHSA-jq4v-f5q6-mjqq PYSEC-2021-19	An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.	4.6.3 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ub64-azys-aaaf Aliases: CVE-2021-43818 GHSA-55x5-fj6c-h6m8 PYSEC-2021-852	lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.	4.6.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-a4yj-hfep-aaaq
Aliases:
CVE-2014-3146
GHSA-57qw-cc2g-pv5p
PYSEC-2014-9

Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.

3.3.5
Affected by 5 other vulnerabilities.

VCID-cah8-awtr-aaad
Aliases:
CVE-2018-19787
GHSA-xp26-p53h-6h2p
PYSEC-2018-12

An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.

4.2.5
Affected by 4 other vulnerabilities.

VCID-gufu-nks1-aaag
Aliases:
CVE-2022-2309
GHSA-wrxv-2j5q-m38w
PYSEC-2022-230

NULL Pointer Dereference in lxml

4.9.1
Affected by 0 other vulnerabilities.

VCID-jq1x-31sj-aaas
Aliases:
CVE-2021-28957
GHSA-jq4v-f5q6-mjqq
PYSEC-2021-19

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

4.6.3
Affected by 2 other vulnerabilities.

VCID-ub64-azys-aaaf
Aliases:
CVE-2021-43818
GHSA-55x5-fj6c-h6m8
PYSEC-2021-852

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.

4.6.5
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-01-17T07:57:24.376545+00:00	PyPI Importer	Affected by	VCID-gufu-nks1-aaag	None	35.1.0
2025-01-17T07:57:06.711632+00:00	PyPI Importer	Affected by	VCID-cah8-awtr-aaad	None	35.1.0
2024-09-18T12:26:02.203312+00:00	Pypa Importer	Affected by	VCID-gufu-nks1-aaag	https://github.com/pypa/advisory-database/blob/main/vulns/lxml/PYSEC-2022-230.yaml	34.0.1
2024-09-18T12:25:16.580310+00:00	Pypa Importer	Affected by	VCID-ub64-azys-aaaf	https://github.com/pypa/advisory-database/blob/main/vulns/lxml/PYSEC-2021-852.yaml	34.0.1
2024-09-18T12:11:32.071866+00:00	Pypa Importer	Affected by	VCID-jq1x-31sj-aaas	https://github.com/pypa/advisory-database/blob/main/vulns/lxml/PYSEC-2021-19.yaml	34.0.1
2024-09-18T12:07:25.664506+00:00	Pypa Importer	Affected by	VCID-cah8-awtr-aaad	https://github.com/pypa/advisory-database/blob/main/vulns/lxml/PYSEC-2018-12.yaml	34.0.1
2024-09-18T12:00:09.159965+00:00	Pypa Importer	Affected by	VCID-a4yj-hfep-aaaq	https://github.com/pypa/advisory-database/blob/main/vulns/lxml/PYSEC-2014-9.yaml	34.0.1
2024-09-17T23:15:23.165454+00:00	PyPI Importer	Affected by	VCID-gufu-nks1-aaag	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	34.0.1
2024-09-17T23:00:02.941066+00:00	PyPI Importer	Affected by	VCID-jq1x-31sj-aaas	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	34.0.1
2024-09-17T22:51:50.829577+00:00	PyPI Importer	Affected by	VCID-cah8-awtr-aaad	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	34.0.1
2024-09-17T22:50:14.808306+00:00	PyPI Importer	Affected by	VCID-a4yj-hfep-aaaq	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	34.0.1
2024-01-03T18:52:00.013034+00:00	PyPI Importer	Affected by	VCID-gufu-nks1-aaag	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	34.0.0rc1
2024-01-03T18:41:19.761624+00:00	PyPI Importer	Affected by	VCID-jq1x-31sj-aaas	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	34.0.0rc1
2024-01-03T18:34:48.734673+00:00	PyPI Importer	Affected by	VCID-cah8-awtr-aaad	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	34.0.0rc1
2024-01-03T18:33:30.218376+00:00	PyPI Importer	Affected by	VCID-a4yj-hfep-aaaq	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	34.0.0rc1
2024-01-03T18:27:45.235435+00:00	Pypa Importer	Affected by	VCID-a4yj-hfep-aaaq	https://github.com/pypa/advisory-database/blob/main/vulns/lxml/PYSEC-2014-9.yaml	34.0.0rc1
2024-01-03T18:27:44.550794+00:00	Pypa Importer	Affected by	VCID-cah8-awtr-aaad	https://github.com/pypa/advisory-database/blob/main/vulns/lxml/PYSEC-2018-12.yaml	34.0.0rc1
2024-01-03T18:27:43.788047+00:00	Pypa Importer	Affected by	VCID-jq1x-31sj-aaas	https://github.com/pypa/advisory-database/blob/main/vulns/lxml/PYSEC-2021-19.yaml	34.0.0rc1
2024-01-03T18:27:43.022386+00:00	Pypa Importer	Affected by	VCID-ub64-azys-aaaf	https://github.com/pypa/advisory-database/blob/main/vulns/lxml/PYSEC-2021-852.yaml	34.0.0rc1
2024-01-03T18:27:42.246302+00:00	Pypa Importer	Affected by	VCID-gufu-nks1-aaag	https://github.com/pypa/advisory-database/blob/main/vulns/lxml/PYSEC-2022-230.yaml	34.0.0rc1