PT-2018-2954 · Lxml+2 · Lxml+2

Published

2018-12-02

Updated

2025-12-18

CVE-2018-19787

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions lxml versions prior to 4.2.5

Description The issue is related to the lxml.html.clean module in the lxml library, which fails to remove javascript: URLs that use escaping. This allows a remote attacker to conduct cross-site scripting (XSS) attacks. The vulnerability can be exploited by using specially crafted URLs, such as "j a v a s c r i p t:" in Internet Explorer.

Recommendations For versions prior to 4.2.5, update to version 4.2.5 or later to resolve the issue. As a temporary workaround, consider disabling the use of the lxml.html.clean module until a patch is available. Restrict access to the lxml/html/clean.py component to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

AZL-6806

BDU:2019-02732

CVE-2018-19787

DLA-1604-1

DLA-2467-1

GHSA-XP26-P53H-6H2P

MGASA-2018-0497

OPENSUSE-SU-2022:0803-1

OPENSUSE-SU-2022_0803-1

OPENSUSE-SU-2024:12414-1

PYSEC-2018-12

SUSE-SU-2022:0803-1

SUSE-SU-2022:0895-1

SUSE-SU-2022:1536-1

SUSE-SU-2022:1729-1

SUSE-SU-2022_0803-1

SUSE-SU-2022_0895-1

USN-3841-1

USN-3841-2

Affected Products

Suse

Ubuntu

Lxml

PT-2018-2954 · Lxml+2 · Lxml+2

CVE-2018-19787

Weakness Enumeration

Related Identifiers

Affected Products

References · 77