Mageia 6 - MGASA-2018-0497 Critical: Python-Lxml XSS Risk
mageia
December 31, 2018
An issue was discovered in lxml before 4.2.5
Summary
An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the
lxml.html.clean module does not remove javascript: URLs that use
escaping, allowing a remote attacker to conduct XSS attacks, as
demonstrated by "j a v a s c r i p t:" in Internet Explorer
(CVE-2018-19787).
References
- https://bugs.mageia.org/show_bug.cgi?id=24067
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3RVMDZTRGFNPQRD6MD74QL2A5IOBPFXQ/
- https://www.cve.org/CVERecord?id=CVE-2018-19787
Topics Covered
Resolution
SRPMS
- 6/core/python-lxml-4.2.5-1.mga6
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Publication date: 31 Dec 2018
URL: https://advisories.mageia.org/MGASA-2018-0497.html
Type: security
CVE: CVE-2018-19787
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!