PYSEC-2018-12

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/lxml/PYSEC-2018-12.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2018-12
Aliases
Published
2018-12-02T10:29:00Z
Modified
2023-11-08T04:00:08.560552Z
Summary
[none]
Details

An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.

References

Affected packages

PyPI / lxml

Package

Name
lxml
View open source insights on deps.dev
Purl
pkg:pypi/lxml

Affected ranges

Type
GIT
Repo
https://github.com/lxml/lxml
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
6be1d081b49c97cfd7b3fbd934a193b668629109
Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.2.5

Affected versions

0.*

0.9
0.9.1
0.9.2

1.*

1.0.beta
1.0
1.0.1
1.0.2
1.0.3
1.0.4
1.1alpha
1.1beta
1.1
1.1.1
1.1.2
1.2
1.2.1
1.3beta
1.3
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6

2.*

2.0alpha1
2.0alpha2
2.0alpha3
2.0alpha4
2.0alpha5
2.0alpha6
2.0beta1
2.0beta2
2.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.1alpha1
2.1beta1
2.1beta2
2.1beta3
2.1
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.2alpha1
2.2beta1
2.2beta2
2.2beta3
2.2beta4
2.2
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.3alpha1
2.3alpha2
2.3beta1
2.3
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6

3.*

3.0
3.0.1
3.0.2
3.1beta1
3.1.0
3.1.1
3.1.2
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.3.0beta1
3.3.0beta2
3.3.0beta3
3.3.0beta4
3.3.0beta5
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.4.0
3.4.1
3.4.2
3.4.3
3.4.4
3.5.0b1
3.5.0
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.7.0
3.7.1
3.7.2
3.7.3
3.8.0

4.*

4.0.0
4.1.0
4.1.1
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4