Cross-Site Scripting Vulnerability in lxml by lxml
CVE-2018-19787

6.1MEDIUM

Key Information:

Vendor

Lxml

Status
Lxml
Vendor
CVE Published:
2 December 2018

What is CVE-2018-19787?

A security issue was identified in the lxml library prior to version 4.2.5, where the module lxml.html.clean does not adequately filter out javascript: URLs that make use of escaping techniques. This oversight enables a remote attacker to execute cross-site scripting (XSS) attacks. The vulnerability allows an attacker to embed harmful scripts, as evidenced by the string 'j a v a s c r i p t:', which can be particularly damaging when exploited in browsers like Internet Explorer. This resembles previously documented issues, such as CVE-2014-3146.

References

https://usn.ubuntu.com/3841-1/
vendor-advisoryx_refsource_UBUNTU
https://lists.debian.org/debian-lts-announce/2018/12/msg0...
mailing-listx_refsource_MLIST
https://usn.ubuntu.com/3841-2/
vendor-advisoryx_refsource_UBUNTU

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.