CVE-2014-3146

6.1 MEDIUM
Published: May 14, 2014 Modified: December 17, 2025
View on NVD

Description

Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
http://advisories.mageia.org/MGASA-2014-0218.html
Source: secalert@redhat.com
http://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html
Source: secalert@redhat.com
http://lxml.de/3.3/changes-3.3.5.html
Source: secalert@redhat.com
http://seclists.org/fulldisclosure/2014/Apr/210
Source: secalert@redhat.com
http://seclists.org/fulldisclosure/2014/Apr/319
Source: secalert@redhat.com
Exploit
http://secunia.com/advisories/58013
Source: secalert@redhat.com
Vendor Advisory
http://secunia.com/advisories/58744
Source: secalert@redhat.com
http://secunia.com/advisories/59008
Source: secalert@redhat.com
http://www.debian.org/security/2014/dsa-2941
Source: secalert@redhat.com
http://www.mandriva.com/security/advisories?name=MDVSA-2015:112
Source: secalert@redhat.com
http://www.openwall.com/lists/oss-security/2014/05/09/7
Source: secalert@redhat.com
http://www.securityfocus.com/bid/67159
Source: secalert@redhat.com
Exploit
http://www.ubuntu.com/usn/USN-2217-1
Source: secalert@redhat.com
https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html
Source: secalert@redhat.com
Exploit
http://advisories.mageia.org/MGASA-2014-0218.html
Source: af854a3a-2127-422b-91ae-364da2661108
http://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html
Source: af854a3a-2127-422b-91ae-364da2661108
http://lxml.de/3.3/changes-3.3.5.html
Source: af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2014/Apr/210
Source: af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2014/Apr/319
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit
http://secunia.com/advisories/58013
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
http://secunia.com/advisories/58744
Source: af854a3a-2127-422b-91ae-364da2661108
http://secunia.com/advisories/59008
Source: af854a3a-2127-422b-91ae-364da2661108
http://www.debian.org/security/2014/dsa-2941
Source: af854a3a-2127-422b-91ae-364da2661108
http://www.mandriva.com/security/advisories?name=MDVSA-2015:112
Source: af854a3a-2127-422b-91ae-364da2661108
http://www.openwall.com/lists/oss-security/2014/05/09/7
Source: af854a3a-2127-422b-91ae-364da2661108
http://www.securityfocus.com/bid/67159
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit
http://www.ubuntu.com/usn/USN-2217-1
Source: af854a3a-2127-422b-91ae-364da2661108
https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit

28 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.1 / 10.0
EPSS (Exploit Probability)
4.3%
88th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-79

Affected Vendors

lxml

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3