ALT-PU-2018-3739-1

Package python-module-lxml updated to version 4.2.5-alt1 for branch sisyphus in task 218580.

Уязвимость компонента lxml/html/clean.py модуля lxml.html.clean библиотеки для обработки разметки XML и HTML Lxml, позволяющая нарушителю осуществлять межсайтовые сценарные атаки

Severity: MEDIUM (6.1)Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: MEDIUM (5.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

References:

CVE-2018-19787

An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.

Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: MEDIUM (6.1)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Improper Neutralization of Input During Web Page Generation in LXML

Severity: MEDIUM (5.3)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: MEDIUM (5.3)Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References:

Version: 2.1.2

Package python-module-lxml update in sisyphus on 2018-12-26

ALT-PU-2018-3739-1

Closed vulnerabilities

BDU:2019-02732

CVE-2018-19787

GHSA-xp26-p53h-6h2p