py3-lxml: mXSS due to the use of improper parser (CVE-2020-27783)
The python-lxml package from version 1.2 and before version 4.6.1 is vulnerable to mXSS due to the use of improper parser. The parser used doesn't imitate browsers, which causes different behaviors between the sanitizer and the user's page. This can result in an arbitrary HTML/JS code execution.
Fixed In Version:
lxml 4.6.2
References:
Affected branches:
-
master (0609e946) -
3.12-stable