{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-52595","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2024-11-14T15:05:46.768Z","datePublished":"2024-11-19T21:27:08.871Z","dateUpdated":"2024-11-20T15:19:10.677Z"},"containers":{"cna":{"title":"HTML Cleaner allows crafted scripts in special contexts like svg or math to pass through","problemTypes":[{"descriptions":[{"cweId":"CWE-79","lang":"en","description":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-83","lang":"en","description":"CWE-83: Improper Neutralization of Script in Attributes in a Web Page","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-184","lang":"en","description":"CWE-184: Incomplete List of Disallowed Inputs","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H","version":"3.1"}}],"references":[{"name":"https://github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-5jfw-gq64-q45f","tags":["x_refsource_CONFIRM"],"url":"https://github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-5jfw-gq64-q45f"},{"name":"https://github.com/fedora-python/lxml_html_clean/pull/19","tags":["x_refsource_MISC"],"url":"https://github.com/fedora-python/lxml_html_clean/pull/19"},{"name":"https://github.com/fedora-python/lxml_html_clean/commit/c5d816f86eb3707d72a8ecf5f3823e0daa1b3808","tags":["x_refsource_MISC"],"url":"https://github.com/fedora-python/lxml_html_clean/commit/c5d816f86eb3707d72a8ecf5f3823e0daa1b3808"}],"affected":[{"vendor":"fedora-python","product":"lxml_html_clean","versions":[{"version":"< 0.4.0","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2024-11-19T21:27:08.871Z"},"descriptions":[{"lang":"en","value":"lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as `<svg>`, `<math>` and `<noscript>`. This behavior deviates from how web browsers parse and interpret such tags. Specifically, content in CSS comments is ignored by lxml_html_clean but may be interpreted differently by web browsers, enabling malicious scripts to bypass the cleaning process. This vulnerability could lead to Cross-Site Scripting (XSS) attacks, compromising the security of users relying on lxml_html_clean in default configuration for sanitizing untrusted HTML content. Users employing the HTML cleaner in a security-sensitive context should upgrade to lxml 0.4.0, which addresses this issue. As a temporary mitigation, users can configure lxml_html_clean with the following settings to prevent the exploitation of this vulnerability. Via `remove_tags`, one may specify tags to remove - their content is moved to their parents' tags. Via `kill_tags`, one may specify tags to be removed completely. Via `allow_tags`, one may restrict the set of permissible tags, excluding context-switching tags like `<svg>`, `<math>` and `<noscript>`."}],"source":{"advisory":"GHSA-5jfw-gq64-q45f","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-11-20T15:18:41.666822Z","id":"CVE-2024-52595","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-11-20T15:19:10.677Z"}}]}}