Fluid Attacks Database

Description

Improper Neutralization of Input During Web Page Generation in LXML An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	lxml	>=0 <4.2.5-1	4.2.5-1
debian 12	lxml	>=0 <4.2.5-1	4.2.5-1
debian 11	lxml	>=0 <4.2.5-1	4.2.5-1
pypi	lxml	>=0 <4.2.5	4.2.5
debian 13	lxml	>=0 <4.2.5-1	4.2.5-1
rpm rhel7	python-lxml	-	-
rpm rhel8	python-lxml	-	-
rpm rhel5	python-lxml	-	-
rpm rhel6	python-lxml	-	-

Aliases

1. CVE-2018-197872. NVD-2018-197873. OSV-DEBIAN-2018-197874. OSV-2018-197875. GHSA-xp26-p53h-6h2p6. GCVE-2018-197877. SECURITY-TRACKER-CVE-2018-197878. lists.debian.org9. lists.debian.org

References

1. https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b6686291092. https://github.com/lxml/lxml3. https://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2018-12.yaml4. https://usn.ubuntu.com/3841-15. https://usn.ubuntu.com/3841-2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.