Advisories » MGASA-2018-0497

Updated python-lxml packages fix security vulnerability

Publication date: 31 Dec 2018
Modification date: 31 Dec 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-19787

Description

An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the
lxml.html.clean module does not remove javascript: URLs that use
escaping, allowing a remote attacker to conduct XSS attacks, as
demonstrated by "j a v a s c r i p t:" in Internet Explorer
(CVE-2018-19787).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=24067
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3RVMDZTRGFNPQRD6MD74QL2A5IOBPFXQ/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19787

SRPMS

6/core

• python-lxml-4.2.5-1.mga6