{"id":"PYSEC-2018-12","details":"An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by \"j a v a s c r i p t:\" in Internet Explorer. This is a similar issue to CVE-2014-3146.","aliases":["CVE-2018-19787","GHSA-xp26-p53h-6h2p"],"modified":"2023-11-08T04:00:08.560552Z","published":"2018-12-02T10:29:00Z","references":[{"type":"FIX","url":"https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2018/12/msg00001.html"},{"type":"WEB","url":"https://usn.ubuntu.com/3841-2/"},{"type":"WEB","url":"https://usn.ubuntu.com/3841-1/"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2020/11/msg00044.html"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-xp26-p53h-6h2p"}],"affected":[{"package":{"name":"lxml","ecosystem":"PyPI","purl":"pkg:pypi/lxml"},"ranges":[{"type":"GIT","repo":"https://github.com/lxml/lxml","events":[{"introduced":"0"},{"fixed":"6be1d081b49c97cfd7b3fbd934a193b668629109"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.2.5"}]}],"versions":["0.9","0.9.1","0.9.2","1.0","1.0.1","1.0.2","1.0.3","1.0.4","1.0.beta","1.1","1.1.1","1.1.2","1.1alpha","1.1beta","1.2","1.2.1","1.3","1.3.1","1.3.2","1.3.3","1.3.4","1.3.5","1.3.6","1.3beta","2.0","2.0.1","2.0.10","2.0.11","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.0.8","2.0.9","2.0alpha1","2.0alpha2","2.0alpha3","2.0alpha4","2.0alpha5","2.0alpha6","2.0beta1","2.0beta2","2.1","2.1.1","2.1.2","2.1.3","2.1.4","2.1.5","2.1alpha1","2.1beta1","2.1beta2","2.1beta3","2.2","2.2.1","2.2.2","2.2.3","2.2.4","2.2.5","2.2.6","2.2.7","2.2.8","2.2alpha1","2.2beta1","2.2beta2","2.2beta3","2.2beta4","2.3","2.3.1","2.3.2","2.3.3","2.3.4","2.3.5","2.3.6","2.3alpha1","2.3alpha2","2.3beta1","3.0","3.0.1","3.0.2","3.1.0","3.1.1","3.1.2","3.1beta1","3.2.0","3.2.1","3.2.2","3.2.3","3.2.4","3.2.5","3.3.0","3.3.0beta1","3.3.0beta2","3.3.0beta3","3.3.0beta4","3.3.0beta5","3.3.1","3.3.2","3.3.3","3.3.4","3.3.5","3.3.6","3.4.0","3.4.1","3.4.2","3.4.3","3.4.4","3.5.0","3.5.0b1","3.6.0","3.6.1","3.6.2","3.6.3","3.6.4","3.7.0","3.7.1","3.7.2","3.7.3","3.8.0","4.0.0","4.1.0","4.1.1","4.2.0","4.2.1","4.2.2","4.2.3","4.2.4"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/lxml/PYSEC-2018-12.yaml"}}],"schema_version":"1.7.3"}