从这个网页截图中,可以获取到以下关于漏洞的关键信息: 1. 漏洞名称:HTML Cleaner allows crafted scripts in special contexts like svg or math to pass through 2. 漏洞等级:High 3. 发布者:frenzymbadness 4. 漏洞编号:GHSA-5jfw-gq64-q45f 5. 发布时间:4 days ago 6. 受影响版本:< 0.4.0 7. 已修复版本:0.4.0 8. 描述: - HTML Parser in lxml does not properly handle context-switching for special HTML tags such as , , and . - Content in CSS comments is ignored by lxml_html_clean but may be interpreted differently by web browsers, enabling malicious scripts to bypass the cleaning process. - This vulnerability could lead to Cross-Site Scripting (XSS) attacks, compromising the security of users relying on lxml_html_clean in default configuration for sanitizing untrusted HTML content. 9. 影响: - Users employing the HTML cleaner in a security-sensitive context should upgrade to lxml 0.4.0, which addresses this issue. 10. 工作原理: - Users can configure lxml_html_clean with the following settings to prevent the exploitation of this vulnerability: - : Specify tags to remove - their content is moved to their parents' tags. - : Specify tags to be removed completely. - : Restrict the set of permissible tags, excluding context-switching tags like , , and . 11. 参考链接: - #19 - c5d816f 12. CVSS v3 base metrics: - Attack vector: Network - Attack complexity: High - Privileges required: None - User interaction: None - Scope: Unchanged - Confidentiality: High - Integrity: Low - Availability: High 13. CVE ID:CVE-2024-52595 14. 弱点: - CWE-79 - CWE-83 - CWE-184 15. 贡献者: - JorianWoltjer (Finder) - frenzymbadness (Remediation developer)