CVE-2014-3146
Publication date 14 May 2014
Last updated 19 December 2025
Ubuntu priority
Description
Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| lxml | 14.04 LTS trusty |
Fixed 3.3.3-1ubuntu0.1
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.1 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-2217-1
- lxml vulnerability
- 21 May 2014
Other references
- http://lxml.de/3.3/changes-3.3.5.html
- http://seclists.org/fulldisclosure/2014/Apr/210
- https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html
- http://www.openwall.com/lists/oss-security/2014/05/09/7
- http://secunia.com/advisories/58013
- http://seclists.org/fulldisclosure/2014/Apr/319
- https://www.cve.org/CVERecord?id=CVE-2014-3146