CVE-2024-52595 - "lxml HTML Cleaner Vulnerability - Cross-Site Scripting via Improper Context-Switching of Special Tags"

1 day ago 3
ARTICLE AD BOX
CVE ID : CVE-2024-52595
Published : Nov. 19, 2024, 10:15 p.m. | 24 minutes ago
Description : lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as ``, `` and ``. This behavior deviates from how web browsers parse and interpret such tags. Specifically, content in CSS comments is ignored by lxml_html_clean but may be interpreted differently by web browsers, enabling malicious scripts to bypass the cleaning process. This vulnerability could lead to Cross-Site Scripting (XSS) attacks, compromising the security of users relying on lxml_html_clean in default configuration for sanitizing untrusted HTML content. Users employing the HTML cleaner in a security-sensitive context should upgrade to lxml 0.4.0, which addresses this issue. As a temporary mitigation, users can configure lxml_html_clean with the following settings to prevent the exploitation of this vulnerability. Via `remove_tags`, one may specify tags to remove - their content is moved to their parents' tags. Via `kill_tags`, one may specify tags to be removed completely. Via `allow_tags`, one may restrict the set of permissible tags, excluding context-switching tags like ``, `` and ``.
Severity: 7.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Read Entire Article
  1. Homepage
  2. CVEs
  3. CVE-2024-52595 - "lxml HTML Cleaner Vulnerability - Cross-Site Scripting via Improper Context-Switching of Special Tags"

Related

CVE-2024-49203 - Querydsl JPA orderBy SQL Injection

CVE-2024-49203 - Querydsl JPA orderBy SQL Injection

23 hours ago 3
CVE-2024-52702 - MyBB Stored XSS Vulnerability

CVE-2024-52702 - MyBB Stored XSS Vulnerability

23 hours ago 3
CVE-2024-48986 - Micrium mBedOS HCI Buffer Overflow Vulnerability

CVE-2024-48986 - Micrium mBedOS HCI Buffer Overflow Vulnerab...

23 hours ago 3

Trending

1. Chris Sale
2. Jussie Smollett
3. Coral
4. ICBM
5. ICC
6. Gautam Adani
7. Boba
8. George Strait
9. Brooks and Dunn
10. UConn women's basketball

Popular

CVE-2024-6343 - Zyxel ATP, USG FLEX, USG FLEX 50(W), USG20(W)-VPN Buffer Overflow Denial of Service

CVE-2024-6343 - Zyxel ATP, USG FLEX, USG FLEX 50(W), USG20(W...

2 months ago 163
CVE-2024-5053 - Fluent Forms Mailchimp API Key Update Weakness

CVE-2024-5053 - Fluent Forms Mailchimp API Key Update Weakne...

2 months ago 152
CVE-2024-8367 - HM Courts & Tribunals Service Probate Back Office Markdown Handler Injection Vulnerability

CVE-2024-8367 - HM Courts & Tribunals Service Probate Back O...

2 months ago 120
CVE-2024-44946 - Linux KCM kcm_sendmsg() UAF

CVE-2024-44946 - Linux KCM kcm_sendmsg() UAF

2 months ago 96
CVE-2024-8368 - "Code-projects Hospital Management System SQL Injection Vulnerability"

CVE-2024-8368 - "Code-projects Hospital Management System SQ...

2 months ago 90
English (US) English (US) ·
About Us · Contact Us · Terms & Conditions · Tools ·

© Intel85 - OSINT Search Engine 2024. All rights are reserved