CVE-2024-52595

Summary

CVE-2024-52595 is a vulnerability affecting the lxml_html_clean project before version 0.4.0. The HTML Parser in lxml fails to handle context-switching for certain tags like `<svg>`, `<math>`, and `<noscript>`. This issue results in different parsing behaviors between lxml and web browsers, allowing malicious scripts in CSS comments to bypass the HTML cleaning process, potentially leading to Cross-Site Scripting (XSS) attacks. Users relying on lxml_html_clean in default configuration for sanitizing untrusted HTML content are at risk. Upgrading to lxml 0.4.0 is recommended to address this vulnerability. As a temporary measure, users can configure lxml_html_clean with `remove_tags`, `kill_tags`, and `allow_tags` settings to prevent the exploitation of this issue.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.