lxml is vulnerable to cross-site scripting. An attacker can inject and execute crafted and SVG embedded scripts through the data URIs in clean.py
.
github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776
github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8
lists.debian.org/debian-lts-announce/2021/12/msg00037.html
lists.fedoraproject.org/archives/list/[email protected]/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7/
lists.fedoraproject.org/archives/list/[email protected]/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V/
lists.fedoraproject.org/archives/list/[email protected]/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7/
lists.fedoraproject.org/archives/list/[email protected]/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/
security.gentoo.org/glsa/202208-06
security.netapp.com/advisory/ntap-20220107-0005/
www.debian.org/security/2022/dsa-5043
www.oracle.com/security-alerts/cpuapr2022.html
www.oracle.com/security-alerts/cpujul2022.html