{"id":"CVE-2018-19787","details":"An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by \"j a v a s c r i p t:\" in Internet Explorer. This is a similar issue to CVE-2014-3146.","aliases":["GHSA-xp26-p53h-6h2p","PYSEC-2018-12"],"modified":"2026-04-16T06:21:54.233741729Z","published":"2018-12-02T10:29:00.227Z","related":["SUSE-SU-2022:0803-1","SUSE-SU-2022:0895-1","SUSE-SU-2022:1536-1","SUSE-SU-2022:1729-1","openSUSE-SU-2022:0803-1","openSUSE-SU-2024:12414-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2020/11/msg00044.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/12/msg00001.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3841-1/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3841-2/"},{"type":"FIX","url":"https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lxml/lxml","events":[{"introduced":"0"},{"fixed":"1dee355e83b1f524de7a772a8da941a186036bc2"},{"fixed":"6be1d081b49c97cfd7b3fbd934a193b668629109"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.2.5"}]}}],"versions":["lxml-0.5.1","lxml-0.6","lxml-0.7","lxml-0.9","lxml-1.0","lxml-1.0.beta","lxml-1.1","lxml-1.1alpha","lxml-1.1beta","lxml-1.2","lxml-2.0","lxml-2.0.1","lxml-2.0alpha1","lxml-2.0alpha2","lxml-2.0alpha3","lxml-2.0alpha4","lxml-2.0alpha5","lxml-2.0alpha6","lxml-2.0beta1","lxml-2.0beta2","lxml-2.1","lxml-2.1alpha1","lxml-2.1beta1","lxml-2.1beta2","lxml-2.1beta3","lxml-2.2","lxml-2.2.1","lxml-2.2.2","lxml-2.3","lxml-2.3.1","lxml-2.3alpha1","lxml-2.3alpha2","lxml-2.3beta1","lxml-3.0","lxml-3.0.1","lxml-3.0alpha1","lxml-3.0alpha2","lxml-3.0beta1","lxml-3.1.0","lxml-3.1.1","lxml-3.1beta1","lxml-3.2.0","lxml-3.2.1","lxml-3.2.2","lxml-3.2.3","lxml-3.3.0","lxml-3.3.0beta1","lxml-3.3.0beta2","lxml-3.3.0beta3","lxml-3.3.0beta4","lxml-3.3.0beta5","lxml-3.3.1","lxml-3.3.2","lxml-3.3.3","lxml-3.4.0","lxml-3.4.0beta1","lxml-3.4.1","lxml-3.5.0","lxml-3.5.0b1","lxml-3.6.0","lxml-3.6.1","lxml-3.7.0","lxml-3.7.1","lxml-3.7.2","lxml-3.8.0","lxml-3.8.0-py27fix","lxml-4.0.0","lxml-4.1.0","lxml-4.1.1","lxml-4.2.0","lxml-4.2.1","lxml-4.2.2","lxml-4.2.3","lxml-4.2.3-win","lxml-4.2.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-19787.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.04"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}