Cross-site Scripting (XSS) Affecting html5lib package, versions *
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Scope
Changed
Threat Intelligence
EPSS
0.32% (71st
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN8-HTML5LIB-280333
- published 22 Feb 2017
- disclosed 22 Feb 2017
Introduced: 22 Feb 2017
CVE-2016-9910 Open this link in a new tabHow to fix?
There is no fixed version for Debian:8 html5lib.
NVD Description
Note: Versions mentioned in the description apply only to the upstream html5lib package and not the html5lib package as distributed by Debian.
See How to fix? for Debian:8 relevant fixed versions and status.
The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting (XSS) attacks by leveraging mishandling of special characters in attribute values, a different vulnerability than CVE-2016-9909.
References
- https://security-tracker.debian.org/tracker/CVE-2016-9910
- https://github.com/html5lib/html5lib-python/commit/9b8d8eb5afbc066b7fac9390f5ec75e5e8a7cab7
- https://github.com/html5lib/html5lib-python/issues/11
- https://github.com/html5lib/html5lib-python/issues/12
- https://html5lib.readthedocs.io/en/latest/changes.html#b9
- http://www.openwall.com/lists/oss-security/2016/12/06/5
- http://www.openwall.com/lists/oss-security/2016/12/08/8
- http://www.securityfocus.com/bid/95132
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9910