CVE-2014-3146

EUVD-2014-0033
Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA-ADPADP
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 88%
Affected Products (NVD)
VendorProductVersion
lxmllxml
𝑥
≤ 3.3.4
lxmllxml
0.5
lxmllxml
0.5.1
lxmllxml
0.6
lxmllxml
0.7
lxmllxml
0.8
lxmllxml
0.9
lxmllxml
0.9.1
lxmllxml
0.9.2
lxmllxml
1.0
lxmllxml
1.0.1
lxmllxml
1.0.2
lxmllxml
1.0.3
lxmllxml
1.0.4
lxmllxml
1.1
lxmllxml
1.1.1
lxmllxml
1.1.2
lxmllxml
1.2
lxmllxml
1.2.1
lxmllxml
1.3
lxmllxml
1.3.1
lxmllxml
1.3.2
lxmllxml
1.3.3
lxmllxml
1.3.4
lxmllxml
1.3.5
lxmllxml
1.3.6
lxmllxml
2.0
lxmllxml
2.0.1
lxmllxml
2.0.2
lxmllxml
2.0.3
lxmllxml
2.0.4
lxmllxml
2.0.5
lxmllxml
2.0.6
lxmllxml
2.0.7
lxmllxml
2.0.8
lxmllxml
2.0.9
lxmllxml
2.0.10
lxmllxml
2.0.11
lxmllxml
2.1:alpha1
lxmllxml
2.1:beta1
lxmllxml
2.1:beta2
lxmllxml
2.1:beta3
lxmllxml
2.1.1
lxmllxml
2.1.2
lxmllxml
2.1.3
lxmllxml
2.1.4
lxmllxml
2.2
lxmllxml
2.2:alpha1
lxmllxml
2.2:beta1
lxmllxml
2.2:beta2
lxmllxml
2.2:beta3
lxmllxml
2.2:beta4
lxmllxml
2.2.1
lxmllxml
2.2.2
lxmllxml
2.2.3
lxmllxml
2.2.4
lxmllxml
2.2.5
lxmllxml
2.2.6
lxmllxml
2.2.7
lxmllxml
2.2.8
lxmllxml
2.3
lxmllxml
2.3:alpha1
lxmllxml
2.3:alpha2
lxmllxml
2.3:beta1
lxmllxml
2.3.1
lxmllxml
2.3.2
lxmllxml
2.3.3
lxmllxml
2.3.4
lxmllxml
2.3.5
lxmllxml
2.3.6
lxmllxml
3.0
lxmllxml
3.0:alpha1
lxmllxml
3.0:alpha2
lxmllxml
3.0:beta1
lxmllxml
3.0.1
lxmllxml
3.0.2
lxmllxml
3.1:beta1
lxmllxml
3.1.0
lxmllxml
3.1.1
lxmllxml
3.1.2
lxmllxml
3.2.0
lxmllxml
3.2.1
lxmllxml
3.2.2
lxmllxml
3.2.3
lxmllxml
3.2.4
lxmllxml
3.2.5
lxmllxml
3.3.0
lxmllxml
3.3.0:beta1
lxmllxml
3.3.0:beta2
lxmllxml
3.3.0:beta3
lxmllxml
3.3.0:beta4
lxmllxml
3.3.0:beta5
lxmllxml
3.3.1
lxmllxml
3.3.2
lxmllxml
3.3.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
lxml
bookworm
4.9.2-1
fixed
bullseye
4.6.3+dfsg-0.1+deb11u1
fixed
bullseye (security)
4.6.3+dfsg-0.1+deb11u1
fixed
sid
5.3.0-1
fixed
trixie
5.3.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
lxml
lucid
ignored
precise
Fixed 2.3.2-1ubuntu0.2
released
quantal
ignored
saucy
Fixed 3.2.0-1ubuntu0.1
released
trusty
Fixed 3.3.3-1ubuntu0.1
released
Common Weakness Enumeration
References
http://advisories.mageia.org/MGASA-2014-0218.html
http://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html
http://lxml.de/3.3/changes-3.3.5.html
http://seclists.org/fulldisclosure/2014/Apr/210
http://seclists.org/fulldisclosure/2014/Apr/319
http://secunia.com/advisories/58013
http://secunia.com/advisories/58744
http://secunia.com/advisories/59008
http://www.debian.org/security/2014/dsa-2941
http://www.mandriva.com/security/advisories?name=MDVSA-2015:112
http://www.openwall.com/lists/oss-security/2014/05/09/7
http://www.securityfocus.com/bid/67159
http://www.ubuntu.com/usn/USN-2217-1
https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html
http://advisories.mageia.org/MGASA-2014-0218.html
http://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html
http://lxml.de/3.3/changes-3.3.5.html
http://seclists.org/fulldisclosure/2014/Apr/210
http://seclists.org/fulldisclosure/2014/Apr/319
http://secunia.com/advisories/58013
http://secunia.com/advisories/58744
http://secunia.com/advisories/59008
http://www.debian.org/security/2014/dsa-2941
http://www.mandriva.com/security/advisories?name=MDVSA-2015:112
http://www.openwall.com/lists/oss-security/2014/05/09/7
http://www.securityfocus.com/bid/67159
http://www.ubuntu.com/usn/USN-2217-1
https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html