ALAS-2023-1956

Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function. (CVE-2014-3146)

An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. (CVE-2018-19787)

There's a flaw in python-lxml's HTML Cleaner component, which is responsible for sanitizing HTML and Javascript. An attacker who is able to submit a crafted payload to a web service using python-lxml's HTML Cleaner may be able to trigger script execution in clients such as web browsers. This can occur because the HTML Cleaner did not remove scripts within SVG images in data URLs such as <img src=>. XSS can result in impacts to the integrity and availability of the web page, as well as a potential impact to data confidentiality in some circumstances. (CVE-2021-43818)

aarch64:
    python-lxml-3.2.1-4.amzn2.0.4.aarch64
    python-lxml-debuginfo-3.2.1-4.amzn2.0.4.aarch64

i686:
    python-lxml-3.2.1-4.amzn2.0.4.i686
    python-lxml-debuginfo-3.2.1-4.amzn2.0.4.i686

noarch:
    python-lxml-docs-3.2.1-4.amzn2.0.4.noarch

src:
    python-lxml-3.2.1-4.amzn2.0.4.src

x86_64:
    python-lxml-3.2.1-4.amzn2.0.4.x86_64
    python-lxml-debuginfo-3.2.1-4.amzn2.0.4.x86_64

2025-03-07: CVE-2014-3146 was added to this advisory.

2025-02-11: CVE-2018-19787 was added to this advisory.