CVE-2024-52595

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Nov 19, 2024

010
CVSS 7.7No EPSS yetHigh
CVE info copied to clipboard

lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as ` `, ` ` and ` `. This behavior deviates from how web browsers parse and interpret such tags. Specifically, content in CSS comments is ignored by lxml_html_clean but may be interpreted differently by web browsers, enabling malicious scripts to bypass the cleaning process. This vulnerability could lead to Cross-Site Scripting (XSS) attacks, compromising the security of users relying on lxml_html_clean in default configuration for sanitizing untrusted HTML content. Users employing the HTML cleaner in a security-sensitive context should upgrade to lxml 0.4.0, which addresses this issue. As a temporary mitigation, users can configure lxml_html_clean with the following settings to prevent the exploitation of this vulnerability. Via `remove_tags`, one may specify tags to remove - their content is moved to their parents' tags. Via `kill_tags`, one may specify tags to be removed completely. Via `allow_tags`, one may restrict the set of permissible tags, excluding context-switching tags like ` `, ` ` and ` `.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H

Timeline

Vendor Advisory

GitHub Advisories released a security advisory.

Nov 19, 2024 at 8:25 PM
CVSS

A CVSS base score of 7.7 has been assigned.

Nov 19, 2024 at 9:10 PM / github_advisories
First Article

Feedly found the first article mentioning CVE-2024-52595. See article

Nov 19, 2024 at 9:15 PM / GitHub Advisory Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 19, 2024 at 9:15 PM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Nov 19, 2024 at 9:42 PM
CVE Assignment

NVD published the first details for CVE-2024-52595

Nov 19, 2024 at 10:15 PM
Static CVE Timeline Graph

Affected Systems

Lxml/lxml
+null more

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

Vendor Advisory

[GHSA-5jfw-gq64-q45f] HTML Cleaner allows crafted scripts in special contexts like svg or math to pass through
GitHub Security Advisory: GHSA-5jfw-gq64-q45f Release Date: 2024-11-19 Update Date: 2024-11-19 Severity: High CVE-2024-52595 Base Score: 7.7 Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H Package Information Package: lxml-html-clean Affected Versions: Patched Versions: 0.4.0 Description The HTML Parser in lxml does not properly handle context-switching for special HTML tags such as

News

CVE-2024-52595
This vulnerability could lead to Cross-Site Scripting (XSS) attacks, compromising the security of users relying on lxml_html_clean in default configuration for sanitizing untrusted HTML content. As a temporary mitigation, users can configure lxml_html_clean with the following settings to prevent the exploitation of this vulnerability.
HTML Cleaner allows crafted scripts in special contexts like svg or math to pass through
The HTML Parser in lxml does not properly handle context-switching for special HTML tags such as , and . This behavior deviates from how web browsers parse and interpret such tags. Specifically, content in CSS comments is ignored by lxml_html_clean but may be interpreted differently by web browsers, enabling malicious scripts to bypass the cleaning process. This vulnerability could lead to Cross-Site Scripting (XSS) attacks, compromising the security of …
NA - CVE-2024-52595 - lxml_html_clean is a project for HTML cleaning...
lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special...
CVE-2024-52595
This vulnerability could lead to Cross-Site Scripting (XSS) attacks, compromising the security of users relying on lxml_html_clean in default configuration for sanitizing untrusted HTML content. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as <svg>, <math> and <noscript>.
CVE-2024-52595 - "lxml HTML Cleaner Vulnerability - Cross-Site Scripting via Improper Context-Switching of Special Tags"
This vulnerability could lead to Cross-Site Scripting (XSS) attacks, compromising the security of users relying on lxml_html_clean in default configuration for sanitizing untrusted HTML content. As a temporary mitigation, users can configure lxml_html_clean with the following settings to prevent the exploitation of this vulnerability.
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:High
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:Low
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI