CVE-2014-3146
MEDIUMlxml < 3.3.5 - Cross-Site Scripting via Control Characters in Link Scheme
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2014-3146. PoCs published by Maksim Kochkin.
AI-analyzed exploit summary This exploit demonstrates a security-bypass vulnerability in lxml's HTML cleaner, where obfuscated JavaScript (using control characters) bypasses the sanitization filter. The PoC shows that malicious scripts can evade detection and execute in the cleaned output.
Description
Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.
Exploits (1)
This exploit demonstrates a security-bypass vulnerability in lxml's HTML cleaner, where obfuscated JavaScript (using control characters) bypasses the sanitization filter. The PoC shows that malicious scripts can evade detection and execute in the cleaned output.
References (14)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N