Miggo Logo
Miggo Vulnerability Database
CVE-2018-19787

CVE-2018-19787: Improper Neutralization of Input During Web Page Generation in LXML

6.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-19787
GHSA ID
GHSA-xp26-p53h-6h2p
EPSS Score
0.53129%
CWE
CWE-79
Published
5/13/2022
Updated
9/30/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
lxmlpip< 4.2.54.2.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient handling of encoded JavaScript URLs in the HTML sanitizer. The commit 6be1d08 shows the fix was applied to _remove_javascript_link by adding unquote_plus() to decode URLs before whitespace substitution. This function's pre-patch version only performed whitespace substitution without URL decoding, making it vulnerable to obfuscated 'javascript:' schemes. The test case changes in test_clean.txt demonstrate this was the attack vector. The function's direct responsibility for URL sanitization and the explicit patch confirm its vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in lxml ***or* *.*.*. lxml/*tml/*l**n.py in t** lxml.*tml.*l**n mo*ul* *o*s not r*mov* j*v*s*ript: URLs t**t us* *s**pin*, *llowin* * r*mot* *tt**k*r to *on*u*t XSS *tt**ks, *s **monstr*t** *y "j * v * s * r i p t:" in Int*rn*

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt **n*lin* o* *n*o*** J*v*S*ript URLs in t** *TML s*nitiz*r. T** *ommit ******* s*ows t** *ix w*s *ppli** to _r*mov*_j*v*s*ript_link *y ***in* unquot*_plus() to ***o** URLs ***or* w*it*sp*** su*stitution. T*is