suse · CVE-2018-19787

Quick triage

Priority: medium Published: 2021-05-30 14:19:02 UTC Updated: 2026-03-05 06:36:11 UTC

View at Official suse advisory, NVD, CVE.org · CVE detail

Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.

Tracker summary

CVE-2018-19787 severity moderate: SUSE including 324 source package names (1.7.7.0.1.2016:python3-lxml-4.7.1-3.7.1, 1.8.6.0.3.2.5:python3-lxml-4.7.1-3.7.1, …), 543 product×package rows across 158 product lines (Container ses/7.1/cephcsi/cephcsi, Container ses/7.1/rook/ceph, … (158 product lines)): Fixed 303, Known Affected 231, Known Not Affected 9.

Description:

An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.

cvelogic Threat Intelligence