PT-2018-2954 · Lxml+2 · Lxml+2

Publicado

2018-12-02

Atualizado

2025-12-18

CVE-2018-19787

CVSS v3.1

6.1

Média

Vetor

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions lxml versions prior to 4.2.5

Description The issue is related to the lxml.html.clean module in the lxml library, which fails to remove javascript: URLs that use escaping. This allows a remote attacker to conduct cross-site scripting (XSS) attacks. The vulnerability can be exploited by using specially crafted URLs, such as "j a v a s c r i p t:" in Internet Explorer.

Recommendations For versions prior to 4.2.5, update to version 4.2.5 or later to resolve the issue. As a temporary workaround, consider disabling the use of the lxml.html.clean module until a patch is available. Restrict access to the lxml/html/clean.py component to minimize the risk of exploitation.

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

AZL-6806

BDU:2019-02732

CVE-2018-19787

DLA-1604-1

DLA-2467-1

GHSA-XP26-P53H-6H2P

MGASA-2018-0497

OPENSUSE-SU-2022:0803-1

OPENSUSE-SU-2022_0803-1

OPENSUSE-SU-2024:12414-1

PYSEC-2018-12

SUSE-SU-2022:0803-1

SUSE-SU-2022:0895-1

SUSE-SU-2022:1536-1

SUSE-SU-2022:1729-1

SUSE-SU-2022_0803-1

SUSE-SU-2022_0895-1

USN-3841-1

USN-3841-2

Produtos afetados

Suse

Ubuntu

Lxml

PT-2018-2954 · Lxml+2 · Lxml+2

CVE-2018-19787

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 77