EIQ-2019-0001



ID

EIQ-2019-0001

CVE

CVE-2018-19787

Description

lxml could allow cross-site scripting (XSS) attacks

Date

04 Feb 2019

Severity

2 - MEDIUM

CVSSv3 score

6.1

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.3.4

Assessment

An issue was discovered in the lxml Python library versions 4.2.4 and earlier.

lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping.

This makes it possible for a remote attacker to conduct XSS attacks.

This is a similar issue to CVE-2014-3146.

Mitigation

EclecticIQ Platform is not affected.

Affected versions

None

Notes

Neither EclecticIQ Platform nor its dependencies use lxml.html.clean().

< Back to all security issues and mitigation actions

In release notes 2.3.4