CVE-2018-19787Cross-site Scripting in Lxml

CWE-79Cross-site Scripting12 documents9 sources
Severity
6.1MEDIUMNVD
EPSS
0.5%
top 32.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LxmlCanonical Ubuntu LinuxDebian Linux
Timeline
PublishedDec 2
Latest updateMay 13

Description

An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

NVDlxml/lxml< 4.2.5
PyPIlxml/lxml< 4.2.5
Debianlxml/lxml< 4.2.5-1+3

Also affects: Debian Linux 8.0, Ubuntu Linux 12.04, 14.04, 16.04, 18.04

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Improper Neutralization of Input During Web Page Generation in LXML2022-05-13
GHSA
Improper Neutralization of Input During Web Page Generation in LXML2022-05-13
OSV
CVE-2018-19787: An issue was discovered in lxml before 42018-12-02
CVEList
CVE-2018-19787: An issue was discovered in lxml before 42018-12-02

📋Vendor Advisories

5
Microsoft
An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping allowing a remote attacker to conduct XSS attacks as d2018-12-11
Ubuntu
lxml vulnerability2018-12-10
Ubuntu
lxml vulnerability2018-12-10
Red Hat
python-lxml: XSS in lxml.html.clean module in lxml/html/clean.py2018-09-09
Debian
CVE-2018-19787: lxml - An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.htm...2018

💬Community

2
Bugzilla
CVE-2018-19787 python-lxml: XSS in lxml.html.clean module in lxml/html/clean.py [fedora-all]2018-12-17
Bugzilla
CVE-2018-19787 python-lxml: XSS in lxml.html.clean module in lxml/html/clean.py2018-12-17