CVE-2024-52595: HTML Cleaner allows crafted scripts in special contexts like svg or math to pass through
(updated )
The HTML Parser in lxml does not properly handle context-switching for special HTML tags such as <svg>, <math> and <noscript>. This behavior deviates from how web browsers parse and interpret such tags. Specifically, content in CSS comments is ignored by lxml_html_clean but may be interpreted differently by web browsers, enabling malicious scripts to bypass the cleaning process. This vulnerability could lead to Cross-Site Scripting (XSS) attacks, compromising the security of users relying on lxml_html_clean in default configuration for sanitizing untrusted HTML content.
References
- github.com/advisories/GHSA-5jfw-gq64-q45f
- github.com/fedora-python/lxml_html_clean
- github.com/fedora-python/lxml_html_clean/commit/c5d816f86eb3707d72a8ecf5f3823e0daa1b3808
- github.com/fedora-python/lxml_html_clean/pull/19
- github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-5jfw-gq64-q45f
- github.com/pypa/advisory-database/tree/main/vulns/lxml-html-clean/PYSEC-2024-160.yaml
- nvd.nist.gov/vuln/detail/CVE-2024-52595
Code Behaviors & Features
Detect and mitigate CVE-2024-52595 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →