You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to dependency file: clusterfuzz/src/python/bot/tasks
Path to vulnerable library: clusterfuzz/src/python/bot/tasks,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/requirements.txt,clusterfuzz/src/appengine/handlers/cron/project,clusterfuzz/src/python/bot/untrusted_runner/build,clusterfuzz/src/appengine/requirements.txt,clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/requirements.txt,clusterfuzz/src/platform_requirements.txt
Path to dependency file: clusterfuzz/src/python/bot/untrusted_runner/build
Path to vulnerable library: clusterfuzz/src/python/bot/untrusted_runner/build,clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/third_party/peach/requirements.txt,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/python/bot/tasks,clusterfuzz/src/appengine/handlers/cron/project
Dependency Hierarchy:
❌ lxml-3.3.5.tar.gz (Vulnerable Library)
Vulnerability Details
lxml 4.6.2 allows XSS. It places the HTML action attribute into defs.link_attrs (in html/defs.py) for later use in input sanitization, but does not do the same for the HTML5 formaction attribute.
CVE-2021-28957 - Medium Severity Vulnerability
Vulnerable Libraries - lxml-4.5.0-cp27-cp27mu-manylinux1_x86_64.whl, lxml-3.3.5.tar.gz
lxml-4.5.0-cp27-cp27mu-manylinux1_x86_64.whl
Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.
Library home page: https://files.pythonhosted.org/packages/03/06/eb9f000882f671a2d494342c1fe93b1c8b18fb04420bb611aeaa3298ef17/lxml-4.5.0-cp27-cp27mu-manylinux1_x86_64.whl
Path to dependency file: clusterfuzz/src/python/bot/tasks
Path to vulnerable library: clusterfuzz/src/python/bot/tasks,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/requirements.txt,clusterfuzz/src/appengine/handlers/cron/project,clusterfuzz/src/python/bot/untrusted_runner/build,clusterfuzz/src/appengine/requirements.txt,clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/requirements.txt,clusterfuzz/src/platform_requirements.txt
Dependency Hierarchy:
lxml-3.3.5.tar.gz
Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.
Library home page: https://files.pythonhosted.org/packages/ae/a8/ad6c2350c65b357faf9a06c7428b5c6159b01bd3014eed93a75513843063/lxml-3.3.5.tar.gz
Path to dependency file: clusterfuzz/src/python/bot/untrusted_runner/build
Path to vulnerable library: clusterfuzz/src/python/bot/untrusted_runner/build,clusterfuzz/resources/platform/linux/peach/peach_mutator/peach_mutator/third_party/peach/requirements.txt,clusterfuzz/src/local/butler/scripts,clusterfuzz/src/python/bot/tasks,clusterfuzz/src/appengine/handlers/cron/project
Dependency Hierarchy:
Vulnerability Details
lxml 4.6.2 allows XSS. It places the HTML action attribute into defs.link_attrs (in html/defs.py) for later use in input sanitization, but does not do the same for the HTML5 formaction attribute.
Publish Date: 2021-03-21
URL: CVE-2021-28957
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957
Release Date: 2021-03-21
Fix Resolution: 4.6.2
The text was updated successfully, but these errors were encountered: