Описание
An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | python-lxml | Will not fix | ||
| Red Hat Enterprise Linux 6 | python-lxml | Will not fix | ||
| Red Hat Enterprise Linux 7 | python-lxml | Will not fix | ||
| Red Hat Enterprise Linux 8 | python-lxml | Will not fix | ||
| Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) | python-lxml | Will not fix | ||
| Red Hat OpenStack Platform 10 (Newton) | python-lxml | Will not fix | ||
| Red Hat OpenStack Platform 12 (Pike) | python-lxml | Will not fix | ||
| Red Hat OpenStack Platform 13 (Queens) | python-lxml | Will not fix | ||
| Red Hat OpenStack Platform 14 (Rocky) | python-lxml | Affected | ||
| Red Hat OpenStack Platform 8 (Liberty) | python-lxml | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
4.7 Medium
CVSS3
Связанные уязвимости
An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.
An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.
An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in th ...
Improper Neutralization of Input During Web Page Generation in LXML
EPSS
4.7 Medium
CVSS3