CVE-2024-52595 Common Vulnerabilities and Exposures

Upstream information

CVE-2024-52595 at MITRE

Description

lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as `<svg>`, `<math>` and `<noscript>`. This behavior deviates from how web browsers parse and interpret such tags. Specifically, content in CSS comments is ignored by lxml_html_clean but may be interpreted differently by web browsers, enabling malicious scripts to bypass the cleaning process. This vulnerability could lead to Cross-Site Scripting (XSS) attacks, compromising the security of users relying on lxml_html_clean in default configuration for sanitizing untrusted HTML content. Users employing the HTML cleaner in a security-sensitive context should upgrade to lxml 0.4.0, which addresses this issue. As a temporary mitigation, users can configure lxml_html_clean with the following settings to prevent the exploitation of this vulnerability. Via `remove_tags`, one may specify tags to remove - their content is moved to their parents' tags. Via `kill_tags`, one may specify tags to be removed completely. Via `allow_tags`, one may restrict the set of permissible tags, excluding context-switching tags like `<svg>`, `<math>` and `<noscript>`.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v3 Scores
CVSS detail	CNA (GitHub)	National Vulnerability Database
Base Score	7.7	6.1
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector	Network	Network
Attack Complexity	High	Low
Privileges Required	None	None
User Interaction	None	Required
Scope	Unchanged	Changed
Confidentiality Impact	High	Low
Integrity Impact	Low	Low
Availability Impact	High	None
CVSSv3 Version	3.1	3.1

SUSE Bugzilla entry: 1233541 [RESOLVED / FIXED]

No SUSE Security Announcements cross referenced.

SUSE Timeline for this CVE

CVE page created: Wed Nov 20 00:02:26 2024
CVE page last modified: Mon Oct 6 20:01:33 2025