EIQ-2019-0001
ID |
EIQ-2019-0001 |
CVE |
|
Description |
lxml could allow cross-site scripting (XSS) attacks |
Date |
04 Feb 2019 |
Severity |
2 - MEDIUM |
CVSSv3 score |
6.1 |
Status |
2.3.4 |
Assessment |
An issue was discovered in the lxml Python library versions 4.2.4 and earlier. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping. This makes it possible for a remote attacker to conduct XSS attacks. This is a similar issue to CVE-2014-3146. |
Mitigation |
EclecticIQ Platform is not affected. |
Affected versions |
None |
Notes |
Neither EclecticIQ Platform nor its dependencies use lxml.html.clean(). |
< Back to all security issues and mitigation actions
In release notes 2.3.4