CVE-2021-28957: 
Python vulnerability analysis and mitigation

CVE-2021-28957 is a cross-site scripting (XSS) vulnerability discovered in python-lxml's clean module versions before 4.6.3. The vulnerability was discovered by Kevin Chung and disclosed on March 21, 2021. The issue affects the HTML sanitization functionality in lxml, specifically when the safeattrsonly and forms arguments are disabled (Launchpad Bug, NVD).

The vulnerability occurs because the Cleaner class does not properly remove the HTML5 formaction attribute when the safeattrsonly and forms arguments are disabled. While the HTML action attribute is properly sanitized, the formaction attribute bypasses the sanitizer's protections. The vulnerability has a CVSS v3.1 base score of 6.1 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

A remote attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of users who interact with incorrectly sanitized HTML. This could lead to disclosure of sensitive information or modification of data when users interact with maliciously crafted content (NVD, NetApp Advisory).

The vulnerability was patched in lxml version 4.6.3. Users should upgrade to this version or later to address the issue. The fix adds the formaction attribute to the list of attributes that are removed by the sanitizer when JavaScript is disabled (GitHub Commit, Debian Advisory).

Multiple vendors and distributions released security advisories and patches for this vulnerability, including Debian, Fedora, Red Hat, NetApp, and Oracle. The issue was treated as a moderate severity security concern by most vendors (Debian Advisory, NetApp Advisory, Oracle CPU).