Miggo Logo
Miggo Vulnerability Database
CVE-2021-43818

CVE-2021-43818:
lxml's HTML Cleaner allows crafted and SVG embedded scripts to pass through

8.2

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-43818
GHSA ID
GHSA-55x5-fj6c-h6m8
EPSS Score
0.84262%
CWE
CWE-74
Published
12/13/2021
Updated
9/30/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
lxmlpip< 4.6.54.6.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key functions in the HTML cleaner: 1) _has_sneaky_javascript lacked '@import' detection in CSS, letting attackers bypass sanitization through crafted style content. 2) _is_javascript_scheme improperly handled SVG data URIs due to insufficient image type validation. These are confirmed by the commit diffs showing added '@import' checks and SVG data URI validation, and CWE-79/CWE-74 mappings align with XSS and injection vectors through these functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** *TML *l**n*r in lxml.*tml l*ts **rt*in *r**t** s*ript *ont*nt p*ss t*rou**, *s w*ll *s s*ript *ont*nt in SV* *il*s *m****** usin* **t* URIs. Us*rs t**t *mploy t** *TML *l**n*r in * s**urity r*l*v*nt *ont*xt s*oul* up*r*** to lxml *.*.

Reasoning

T** vuln*r**ility st*ms *rom two k*y *un*tions in t** *TML *l**n*r: *) _**s_sn**ky_j*v*s*ript l**k** '@import' **t**tion in *SS, l*ttin* *tt**k*rs *yp*ss s*nitiz*tion t*rou** *r**t** styl* *ont*nt. *) _is_j*v*s*ript_s***m* improp*rly **n*l** SV* **t*