GHSA-5jfw-gq64-q45f · 深刻度: high · エコシステム: pip — HTML Cleaner allows crafted scripts in special contexts like svg or math to pass through
lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as `<svg>`, `<math>` and `<noscript>`. This behavior deviates from how web browsers parse and interpret such tags. Specifically, content in CSS comments is ignored by lxml_html_clean but may be interpreted differently by web browsers, enabling malicious scripts to bypass the cleaning process. This vulnerability could lead to Cross-Site Scripting (XSS) attacks, compromising the security of users relying on lxml_html_clean in default configuration for sanitizing untrusted HTML content. Users employing the HTML cleaner in a security-sensitive context should upgrade to lxml 0.4.0, which addresses this issue. As a temporary mitigation, users can configure lxml_html_clean with the following settings to prevent the exploitation of this vulnerability. Via `remove_tags`, one may specify tags to remove - their content is moved to their parents' tags. Via `kill_tags`, one may specify tags to be removed completely. Via `allow_tags`, one may restrict the set of permissible tags, excluding context-switching tags like `<svg>`, `<math>` and `<noscript>`.
総合評価: CVE-2024-52595 は中リスク(54/100)。CVSS 深刻度は高。悪用される可能性が高い(EPSS 0.50%、66 パーセンタイル) 推奨対応: 影響資産を整理し、修補計画に組み込んでください。
リスクは変動します。再評価に基づき、本ページの表示内容を更新しています。
EPSS は日次で悪用されやすさの相対度合いを推定します。パーセンタイルは採点済み CVE の中での相対位置(高いほど相対的に深刻)を示します。
| # | 日付 | 旧 EPSS スコア | 新 EPSS スコア | Δ(新 − 旧) |
|---|---|---|---|---|
| 1 | 2026-04-10 | 0.37% | 0.50% | +0.13% |
| 2 | 2026-02-13 | 0.24% | 0.37% | +0.13% |
| 3 | 2025-12-28 | — | 0.24% | — |
EPSS の全履歴 (全 15 件)
この CVE の CVSS 指標。
| ベーススコア | バージョン | 深刻度 | ベクトル | 悪用しやすさ | 影響 | スコアの出典 |
|---|---|---|---|---|---|---|
| 7.7 | 3.1 | HIGH |
|
2.2 | 5.5 | [email protected] |
| 6.1 | 3.1 | MEDIUM |
|
2.8 | 2.7 | [email protected] |
GHSA-5jfw-gq64-q45f · 深刻度: high · エコシステム: pip — HTML Cleaner allows crafted scripts in special contexts like svg or math to pass through
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2024-52595 not yet assigned priority: Debian including 1 source packages (lxml-html-clean), 3 status rows across 3 suites (forky, sid, trixie): resolved 3. | https://security-tracker.debian.org/tracker/CVE-2024-52595 |
ubuntu
|
medium | CVE-2024-52595 medium priority: Ubuntu including 1 source packages (lxml-html-clean), 7 status rows across 7 suites (focal, jammy, noble, oracular, plucky, questing, upstream): needs-triage 3, DNE 2, ignored 2. | https://ubuntu.com/security/CVE-2024-52595 |
| ベンダー | 製品 | バージョン | 生の CPE |
|---|---|---|---|
| fedoralovespython | lxml_html_clean | < 0.4.0 | cpe:2.3:a:fedoralovespython:lxml_html_clean:*:*:*:*:*:python:*:* |