CVE-2014-3146

Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 92%
VendorProductVersion
lxmllxml
𝑥
≤ 3.3.4
lxmllxml
0.5
lxmllxml
0.5.1
lxmllxml
0.6
lxmllxml
0.7
lxmllxml
0.8
lxmllxml
0.9
lxmllxml
0.9.1
lxmllxml
0.9.2
lxmllxml
1.0
lxmllxml
1.0.1
lxmllxml
1.0.2
lxmllxml
1.0.3
lxmllxml
1.0.4
lxmllxml
1.1
lxmllxml
1.1.1
lxmllxml
1.1.2
lxmllxml
1.2
lxmllxml
1.2.1
lxmllxml
1.3
lxmllxml
1.3.1
lxmllxml
1.3.2
lxmllxml
1.3.3
lxmllxml
1.3.4
lxmllxml
1.3.5
lxmllxml
1.3.6
lxmllxml
2.0
lxmllxml
2.0.1
lxmllxml
2.0.2
lxmllxml
2.0.3
lxmllxml
2.0.4
lxmllxml
2.0.5
lxmllxml
2.0.6
lxmllxml
2.0.7
lxmllxml
2.0.8
lxmllxml
2.0.9
lxmllxml
2.0.10
lxmllxml
2.0.11
lxmllxml
2.1:alpha1
lxmllxml
2.1:beta1
lxmllxml
2.1:beta2
lxmllxml
2.1:beta3
lxmllxml
2.1.1
lxmllxml
2.1.2
lxmllxml
2.1.3
lxmllxml
2.1.4
lxmllxml
2.2
lxmllxml
2.2:alpha1
lxmllxml
2.2:beta1
lxmllxml
2.2:beta2
lxmllxml
2.2:beta3
lxmllxml
2.2:beta4
lxmllxml
2.2.1
lxmllxml
2.2.2
lxmllxml
2.2.3
lxmllxml
2.2.4
lxmllxml
2.2.5
lxmllxml
2.2.6
lxmllxml
2.2.7
lxmllxml
2.2.8
lxmllxml
2.3
lxmllxml
2.3:alpha1
lxmllxml
2.3:alpha2
lxmllxml
2.3:beta1
lxmllxml
2.3.1
lxmllxml
2.3.2
lxmllxml
2.3.3
lxmllxml
2.3.4
lxmllxml
2.3.5
lxmllxml
2.3.6
lxmllxml
3.0
lxmllxml
3.0:alpha1
lxmllxml
3.0:alpha2
lxmllxml
3.0:beta1
lxmllxml
3.0.1
lxmllxml
3.0.2
lxmllxml
3.1:beta1
lxmllxml
3.1.0
lxmllxml
3.1.1
lxmllxml
3.1.2
lxmllxml
3.2.0
lxmllxml
3.2.1
lxmllxml
3.2.2
lxmllxml
3.2.3
lxmllxml
3.2.4
lxmllxml
3.2.5
lxmllxml
3.3.0
lxmllxml
3.3.0:beta1
lxmllxml
3.3.0:beta2
lxmllxml
3.3.0:beta3
lxmllxml
3.3.0:beta4
lxmllxml
3.3.0:beta5
lxmllxml
3.3.1
lxmllxml
3.3.2
lxmllxml
3.3.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
lxml
bullseye (security)
4.6.3+dfsg-0.1+deb11u1
fixed
bullseye
4.6.3+dfsg-0.1+deb11u1
fixed
bookworm
4.9.2-1
fixed
sid
5.3.0-1
fixed
trixie
5.3.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
lxml
trusty
Fixed 3.3.3-1ubuntu0.1
released
saucy
Fixed 3.2.0-1ubuntu0.1
released
quantal
ignored
precise
Fixed 2.3.2-1ubuntu0.2
released
lucid
ignored
References
http://advisories.mageia.org/MGASA-2014-0218.html
http://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html
http://lxml.de/3.3/changes-3.3.5.html
http://seclists.org/fulldisclosure/2014/Apr/210
http://seclists.org/fulldisclosure/2014/Apr/319
http://secunia.com/advisories/58013
http://secunia.com/advisories/58744
http://secunia.com/advisories/59008
http://www.debian.org/security/2014/dsa-2941
http://www.mandriva.com/security/advisories?name=MDVSA-2015:112
http://www.openwall.com/lists/oss-security/2014/05/09/7
http://www.securityfocus.com/bid/67159
http://www.ubuntu.com/usn/USN-2217-1
https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html
http://advisories.mageia.org/MGASA-2014-0218.html
http://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html
http://lxml.de/3.3/changes-3.3.5.html
http://seclists.org/fulldisclosure/2014/Apr/210
http://seclists.org/fulldisclosure/2014/Apr/319
http://secunia.com/advisories/58013
http://secunia.com/advisories/58744
http://secunia.com/advisories/59008
http://www.debian.org/security/2014/dsa-2941
http://www.mandriva.com/security/advisories?name=MDVSA-2015:112
http://www.openwall.com/lists/oss-security/2014/05/09/7
http://www.securityfocus.com/bid/67159
http://www.ubuntu.com/usn/USN-2217-1
https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html