HCE1-SA-2023-0066 Moderate HCE 1.1 Security Fix(es): An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove _ URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. (CVE-2018-19787) An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3. (CVE-2021-28957) HCE 1.1 python-lxml-3.2.1-5.hce1c.x86_64.rpm