Debian 10225 Published by

Updated lxml packages has been released for Debian GNU/Linux 8 LTS



Package : lxml
Version : 3.4.0-1+deb8u1
CVE ID : CVE-2018-19787

It was discovered that there was a XSS injection vulnerability in
the LXML HTML/XSS manipulation library for Python.

LXML did not remove "javascript:" URLs that used escaping such as
"j a v a s c r i p t". This is a similar issue to CVE-2014-3146.

For Debian 8 "Jessie", this issue has been fixed in lxml version
3.4.0-1+deb8u1.

We recommend that you upgrade your lxml packages.