CVE-2024-52595

CVSS 3.1 Score 7.7 of 10 (high)

Details

Published Nov 19, 2024
Updated: Nov 21, 2024
CWE ID 83
CWE ID 79
CWE ID 184

Summary

CVE-2024-52595 is a vulnerability affecting the lxml_html_clean project before version 0.4.0. The issue lies in the HTML Parser of lxml, which fails to handle context-switching for specific tags like `<svg>`, `<math>` and `<noscript>`. This deviation from standard web browser behavior allows malicious scripts to bypass the HTML cleaning process, potentially leading to Cross-Site Scripting (XSS) attacks. Users relying on lxml_html_clean for sanitizing untrusted HTML content in a security-sensitive context are advised to upgrade to version 0.4.0. As a temporary measure, users can configure lxml_html_clean with settings like `remove_tags`, `kill_tags`, and `allow_tags` to prevent the exploitation of this vulnerability by excluding context-switching tags.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share