The python-lxml package from version 1.2 and before version 4.6.2 is vulnerable to mXSS due to the use of improper parser. The parser used doesn't imitate browsers, which causes different behaviours between the sanitizer and the user's page. This can result in an arbitrary HTML/JS code execution. References: https://pypi.org/project/lxml/4.6.1/ https://pypi.org/project/lxml/4.6.2/ Upstream patches: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7
Created python-lxml tracking bugs for this issue: Affects: fedora-all [bug 1901634]
Upstream info for 4.6.2 fix: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7 https://pypi.org/project/lxml/4.6.2/
Hi As the assigning CNA for CVE-2020-27783 can you clarify on the scope of it? Originally and by https://bugzilla.redhat.com/show_bug.cgi?id=1901633#c0 this only seems to apply to https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e which was fixed in 4.6.1 upstream. Later on upstream has referenced the CVE in the 4.6.2 notes but fixed there as well a second vector <math/svg> and <style> via in https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7 in 4.6.2. Can you ideally assign a second CVE for the second fix, some might have covered with CVE-2020-27783 only the <noscript> and <style> part. Thanks already, Regards, Salvatore
@Salvatore, as we talked by email, according to upstream the fix was split in 2 releases and were discovered together. Also, the CVE doesn't specifically say its only for certain XSS vectors, therefore, we think a new CVE is not needed in this case. Thank you for bringing this to us!
FEDORA-2020-0e055ea503 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2020-307946cfb6 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27783
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1761 https://access.redhat.com/errata/RHSA-2021:1761
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1879 https://access.redhat.com/errata/RHSA-2021:1879
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1898 https://access.redhat.com/errata/RHSA-2021:1898
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254