CVE-2014-3146

MEDIUM

Lxml < 3.3.4 - XSS

Title source: rule

Description

Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Maksim Kochkin · textremotelinux

https://www.exploit-db.com/exploits/39155

View Code ZIP pw:eip

References (14)

Core 14

Core References

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2014/dsa-2941

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2014/05/09/7

Vendor Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-2217-1

Exploit mailing-list x_refsource_mlist

https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/58744

Third Party Advisory x_refsource_confirm

http://advisories.mageia.org/MGASA-2014-0218.html

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/67159

Vendor Advisory vendor-advisory x_refsource_mandriva

http://www.mandriva.com/security/advisories?name=MDVSA-2015:112

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/58013

Mailing List mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2014/Apr/210

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/59008

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html

Exploit mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2014/Apr/319

Various Sources x_refsource_confirm

http://lxml.de/3.3/changes-3.3.5.html

Scores

CVSS v3 6.1

EPSS 0.0427

EPSS Percentile 88.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (43)

lxml/lxml 0.5

lxml/lxml 0.5.1

lxml/lxml 0.6

lxml/lxml 0.7

lxml/lxml 0.8

lxml/lxml 0.9

lxml/lxml 0.9.1

lxml/lxml 0.9.2

lxml/lxml 1.0

lxml/lxml 1.0.1

... and 33 more

Published May 14, 2014

Tracked Since Feb 18, 2026