CVE-2018-19787

2018-12-0210:29:00

Google

osv.dev

6 Medium

AI Score

Confidence

High

0.013 Low

EPSS

Percentile

86.0%

JSON

An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by “j a v a s c r i p t:” in Internet Explorer. This is a similar issue to CVE-2014-3146.

CPENameOperatorVersion
lxmleqlxml-2.0alpha1
lxmleqlxml-4.2.3-win
lxmleqlxml-1.0.beta
lxmleqlxml-3.6.3
lxmleqlxml-2.3beta1
lxmleqlxml-2.1
lxmleqlxml-3.5.0
lxmleqlxml-3.3.6
lxmleqlxml-1.1
lxmleqlxml-3.3.1

Name	Operator	Version
lxml	eq	lxml-2.0alpha1
lxml	eq	lxml-4.2.3-win
lxml	eq	lxml-1.0.beta
lxml	eq	lxml-3.6.3
lxml	eq	lxml-2.3beta1
lxml	eq	lxml-2.1
lxml	eq	lxml-3.5.0
lxml	eq	lxml-3.3.6
lxml	eq	lxml-1.1
lxml	eq	lxml-3.3.1