CVE-2024-52595

CVSS 3.1 Score 6.1 of 10 (medium)

Details

Published Nov 19, 2024

Updated: Nov 25, 2024

CWE ID 83

CWE ID 79

CWE ID 184

Summary

CVE-2024-52595 is a vulnerability affecting the lxml_html_clean project before version 0.4.0. The HTML Parser in lxml fails to handle context-switching for specific tags like `<svg>`, `<math>`, and `<noscript>`, which deviates from how web browsers process these tags. Malicious scripts can exploit this by inserting code in CSS comments, bypassing the HTML cleaning process. This issue could lead to Cross-Site Scripting (XSS) attacks, potentially compromising users' security. To mitigate the risk, users should upgrade to lxml 0.4.0. As a temporary measure, they can configure lxml_html_clean by specifying tags to remove (via `remove_tags`), remove completely (via `kill_tags`), or restrict permissible tags (via `allow_tags`), excluding context-switching tags.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Advisories, Assessments, and Mitigations

Back to Vulnerability Database