CVE-2014-3146
MEDIUM6.1EPSS 4.3%lxml Cross-site Scripting Via Control Characters
Published: 5/14/2022Modified: 9/30/2024
Description
Incomplete blacklist vulnerability in the `lxml.html.clean` module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the `clean_html` function.
Affected packages (5)
- Debian/lxmlfrom 0, < 3.3.5-1
- Debian/lxmlfrom 0, < 2.2.8-2+deb6u1
- Debian/lxmlfrom 0, < 2.3.2-1+deb7u1
- PyPI/lxmlfrom 0, < 3.3.5
- PyPI/lxmlfrom 0, < 3.3.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References (28)
- ADVISORYhttp://secunia.com/advisories/58013
- ADVISORYhttp://secunia.com/advisories/58744
- ADVISORYhttp://secunia.com/advisories/59008
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-3146
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2014-3146
- ADVISORYhttp://www.mandriva.com/security/advisories?name=MDVSA-2015:112
- PATCHhttps://github.com/lxml/lxml
- WEBhttp://advisories.mageia.org/MGASA-2014-0218.html
- WEBhttp://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html
- WEBhttp://lxml.de/3.3/changes-3.3.5.html
- WEBhttp://seclists.org/fulldisclosure/2014/Apr/210
- WEBhttp://seclists.org/fulldisclosure/2014/Apr/319
- WEBhttps://github.com/lxml/lxml/commit/3f3082e0a67851cde26a48da3d1f4b75d8aa07ec
- WEBhttps://github.com/lxml/lxml/commit/86e81ab393ba14c1be71284675851a3bdce57d69
- WEBhttps://github.com/lxml/lxml/commit/e86b294f1f81b899a59925123560ff924a72f1cc
- WEBhttps://github.com/lxml/lxml/pull/273
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2014-9.yaml
- WEBhttps://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html
- WEBhttps://web.archive.org/web/20140724172044/http://secunia.com/advisories/58013
- WEBhttps://web.archive.org/web/20140805110535/http://secunia.com/advisories/59008
- WEBhttps://web.archive.org/web/20140806061046/http://secunia.com/advisories/58744
- WEBhttps://web.archive.org/web/20141017122607/https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html
- WEBhttps://web.archive.org/web/20150523055039/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2015:112/?name=MDVSA-2015:112
- WEBhttps://web.archive.org/web/20200228180542/http://www.securityfocus.com/bid/67159
- WEBhttp://www.debian.org/security/2014/dsa-2941
- WEBhttp://www.openwall.com/lists/oss-security/2014/05/09/7
- WEBhttp://www.securityfocus.com/bid/67159
- WEBhttp://www.ubuntu.com/usn/USN-2217-1