CVE-2018-19787 : An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascrip

An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.

Published 2018-12-02 10:29:00

Updated 2020-11-26 21:15:10

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Exploit prediction scoring system (EPSS) score for CVE-2018-19787

Probability of exploitation activity in the next 30 days: 0.61%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 76 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2018-19787

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
6.1	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2018-19787

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-19787

https://lists.debian.org/debian-lts-announce/2018/12/msg00001.html

[SECURITY] [DLA 1604-1] lxml security update
Mailing List;Third Party Advisory
https://usn.ubuntu.com/3841-1/

USN-3841-1: lxml vulnerability | Ubuntu security notices
Third Party Advisory
https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109

Fix: make the cleaner also remove javascript URLs that use escaping. · lxml/lxml@6be1d08 · GitHub
Patch;Vendor Advisory
https://usn.ubuntu.com/3841-2/

USN-3841-2: lxml vulnerability | Ubuntu security notices
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/11/msg00044.html

[SECURITY] [DLA 2467-1] lxml security update

Products affected by CVE-2018-19787

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Matching versions
Lxml » Lxml
Versions before (<) 4.2.5
cpe:2.3:a:lxml:lxml:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2018-19787

Exploit prediction scoring system (EPSS) score for CVE-2018-19787

CVSS scores for CVE-2018-19787

CWE ids for CVE-2018-19787

References for CVE-2018-19787

Products affected by CVE-2018-19787