View at Official suse advisory, NVD, CVE.org · CVE detail
Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.
CVE-2018-19787 severity moderate: SUSE including 324 source package names (1.7.7.0.1.2016:python3-lxml-4.7.1-3.7.1, 1.8.6.0.3.2.5:python3-lxml-4.7.1-3.7.1, …), 543 product×package rows across 158 product lines (Container ses/7.1/cephcsi/cephcsi, Container ses/7.1/rook/ceph, … (158 product lines)): Fixed 303, Known Affected 231, Known Not Affected 9.
An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.