CVE-2014-3146
Summary
| CVE | CVE-2014-3146 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2014-05-14 19:55:00 UTC |
| Updated | 2017-12-29 02:29:00 UTC |
| Description | Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function. |
Risk And Classification
Problem Types: NVD-CWE-Other
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Lxml | Lxml | 0.5 | All | All | All |
| Application | Lxml | Lxml | 0.5.1 | All | All | All |
| Application | Lxml | Lxml | 0.6 | All | All | All |
| Application | Lxml | Lxml | 0.7 | All | All | All |
| Application | Lxml | Lxml | 0.8 | All | All | All |
| Application | Lxml | Lxml | 0.9 | All | All | All |
| Application | Lxml | Lxml | 0.9.1 | All | All | All |
| Application | Lxml | Lxml | 0.9.2 | All | All | All |
| Application | Lxml | Lxml | 1.0 | All | All | All |
| Application | Lxml | Lxml | 1.0.1 | All | All | All |
| Application | Lxml | Lxml | 1.0.2 | All | All | All |
| Application | Lxml | Lxml | 1.0.3 | All | All | All |
| Application | Lxml | Lxml | 1.0.4 | All | All | All |
| Application | Lxml | Lxml | 1.1 | All | All | All |
| Application | Lxml | Lxml | 1.1.1 | All | All | All |
| Application | Lxml | Lxml | 1.1.2 | All | All | All |
| Application | Lxml | Lxml | 1.2 | All | All | All |
| Application | Lxml | Lxml | 1.2.1 | All | All | All |
| Application | Lxml | Lxml | 1.3 | All | All | All |
| Application | Lxml | Lxml | 1.3.1 | All | All | All |
| Application | Lxml | Lxml | 1.3.2 | All | All | All |
| Application | Lxml | Lxml | 1.3.3 | All | All | All |
| Application | Lxml | Lxml | 1.3.4 | All | All | All |
| Application | Lxml | Lxml | 1.3.5 | All | All | All |
| Application | Lxml | Lxml | 1.3.6 | All | All | All |
| Application | Lxml | Lxml | 2.0 | All | All | All |
| Application | Lxml | Lxml | 2.0.1 | All | All | All |
| Application | Lxml | Lxml | 2.0.10 | All | All | All |
| Application | Lxml | Lxml | 2.0.11 | All | All | All |
| Application | Lxml | Lxml | 2.0.2 | All | All | All |
| Application | Lxml | Lxml | 2.0.3 | All | All | All |
| Application | Lxml | Lxml | 2.0.4 | All | All | All |
| Application | Lxml | Lxml | 2.0.5 | All | All | All |
| Application | Lxml | Lxml | 2.0.6 | All | All | All |
| Application | Lxml | Lxml | 2.0.7 | All | All | All |
| Application | Lxml | Lxml | 2.0.8 | All | All | All |
| Application | Lxml | Lxml | 2.0.9 | All | All | All |
| Application | Lxml | Lxml | 2.1 | alpha1 | All | All |
| Application | Lxml | Lxml | 2.1 | beta1 | All | All |
| Application | Lxml | Lxml | 2.1 | beta2 | All | All |
| Application | Lxml | Lxml | 2.1 | beta3 | All | All |
| Application | Lxml | Lxml | 2.1.1 | All | All | All |
| Application | Lxml | Lxml | 2.1.2 | All | All | All |
| Application | Lxml | Lxml | 2.1.3 | All | All | All |
| Application | Lxml | Lxml | 2.1.4 | All | All | All |
| Application | Lxml | Lxml | 2.2 | - | All | All |
| Application | Lxml | Lxml | 2.2 | alpha1 | All | All |
| Application | Lxml | Lxml | 2.2 | beta1 | All | All |
| Application | Lxml | Lxml | 2.2 | beta2 | All | All |
| Application | Lxml | Lxml | 2.2 | beta3 | All | All |
| Application | Lxml | Lxml | 2.2 | beta4 | All | All |
| Application | Lxml | Lxml | 2.2.1 | All | All | All |
| Application | Lxml | Lxml | 2.2.2 | All | All | All |
| Application | Lxml | Lxml | 2.2.3 | All | All | All |
| Application | Lxml | Lxml | 2.2.4 | All | All | All |
| Application | Lxml | Lxml | 2.2.5 | All | All | All |
| Application | Lxml | Lxml | 2.2.6 | All | All | All |
| Application | Lxml | Lxml | 2.2.7 | All | All | All |
| Application | Lxml | Lxml | 2.2.8 | All | All | All |
| Application | Lxml | Lxml | 2.3 | - | All | All |
| Application | Lxml | Lxml | 2.3 | alpha1 | All | All |
| Application | Lxml | Lxml | 2.3 | alpha2 | All | All |
| Application | Lxml | Lxml | 2.3 | beta1 | All | All |
| Application | Lxml | Lxml | 2.3.1 | All | All | All |
| Application | Lxml | Lxml | 2.3.2 | All | All | All |
| Application | Lxml | Lxml | 2.3.3 | All | All | All |
| Application | Lxml | Lxml | 2.3.4 | All | All | All |
| Application | Lxml | Lxml | 2.3.5 | All | All | All |
| Application | Lxml | Lxml | 2.3.6 | All | All | All |
| Application | Lxml | Lxml | 3.0 | - | All | All |
| Application | Lxml | Lxml | 3.0 | alpha1 | All | All |
| Application | Lxml | Lxml | 3.0 | alpha2 | All | All |
| Application | Lxml | Lxml | 3.0 | beta1 | All | All |
| Application | Lxml | Lxml | 3.0.1 | All | All | All |
| Application | Lxml | Lxml | 3.0.2 | All | All | All |
| Application | Lxml | Lxml | 3.1 | beta1 | All | All |
| Application | Lxml | Lxml | 3.1.0 | All | All | All |
| Application | Lxml | Lxml | 3.1.1 | All | All | All |
| Application | Lxml | Lxml | 3.1.2 | All | All | All |
| Application | Lxml | Lxml | 3.2.0 | All | All | All |
| Application | Lxml | Lxml | 3.2.1 | All | All | All |
| Application | Lxml | Lxml | 3.2.2 | All | All | All |
| Application | Lxml | Lxml | 3.2.3 | All | All | All |
| Application | Lxml | Lxml | 3.2.4 | All | All | All |
| Application | Lxml | Lxml | 3.2.5 | All | All | All |
| Application | Lxml | Lxml | 3.3.0 | - | All | All |
| Application | Lxml | Lxml | 3.3.0 | beta1 | All | All |
| Application | Lxml | Lxml | 3.3.0 | beta2 | All | All |
| Application | Lxml | Lxml | 3.3.0 | beta3 | All | All |
| Application | Lxml | Lxml | 3.3.0 | beta4 | All | All |
| Application | Lxml | Lxml | 3.3.0 | beta5 | All | All |
| Application | Lxml | Lxml | 3.3.1 | All | All | All |
| Application | Lxml | Lxml | 3.3.2 | All | All | All |
| Application | Lxml | Lxml | 3.3.3 | All | All | All |
| Application | Lxml | Lxml | 0.5 | All | All | All |
| Application | Lxml | Lxml | 0.5.1 | All | All | All |
| Application | Lxml | Lxml | 0.6 | All | All | All |
| Application | Lxml | Lxml | 0.7 | All | All | All |
| Application | Lxml | Lxml | 0.8 | All | All | All |
| Application | Lxml | Lxml | 0.9 | All | All | All |
| Application | Lxml | Lxml | 0.9.1 | All | All | All |
| Application | Lxml | Lxml | 0.9.2 | All | All | All |
| Application | Lxml | Lxml | 1.0 | All | All | All |
| Application | Lxml | Lxml | 1.0.1 | All | All | All |
| Application | Lxml | Lxml | 1.0.2 | All | All | All |
| Application | Lxml | Lxml | 1.0.3 | All | All | All |
| Application | Lxml | Lxml | 1.0.4 | All | All | All |
| Application | Lxml | Lxml | 1.1 | All | All | All |
| Application | Lxml | Lxml | 1.1.1 | All | All | All |
| Application | Lxml | Lxml | 1.1.2 | All | All | All |
| Application | Lxml | Lxml | 1.2 | All | All | All |
| Application | Lxml | Lxml | 1.2.1 | All | All | All |
| Application | Lxml | Lxml | 1.3 | All | All | All |
| Application | Lxml | Lxml | 1.3.1 | All | All | All |
| Application | Lxml | Lxml | 1.3.2 | All | All | All |
| Application | Lxml | Lxml | 1.3.3 | All | All | All |
| Application | Lxml | Lxml | 1.3.4 | All | All | All |
| Application | Lxml | Lxml | 1.3.5 | All | All | All |
| Application | Lxml | Lxml | 1.3.6 | All | All | All |
| Application | Lxml | Lxml | 2.0 | All | All | All |
| Application | Lxml | Lxml | 2.0.1 | All | All | All |
| Application | Lxml | Lxml | 2.0.10 | All | All | All |
| Application | Lxml | Lxml | 2.0.11 | All | All | All |
| Application | Lxml | Lxml | 2.0.2 | All | All | All |
| Application | Lxml | Lxml | 2.0.3 | All | All | All |
| Application | Lxml | Lxml | 2.0.4 | All | All | All |
| Application | Lxml | Lxml | 2.0.5 | All | All | All |
| Application | Lxml | Lxml | 2.0.6 | All | All | All |
| Application | Lxml | Lxml | 2.0.7 | All | All | All |
| Application | Lxml | Lxml | 2.0.8 | All | All | All |
| Application | Lxml | Lxml | 2.0.9 | All | All | All |
| Application | Lxml | Lxml | 2.1 | alpha1 | All | All |
| Application | Lxml | Lxml | 2.1 | beta1 | All | All |
| Application | Lxml | Lxml | 2.1 | beta2 | All | All |
| Application | Lxml | Lxml | 2.1 | beta3 | All | All |
| Application | Lxml | Lxml | 2.1.1 | All | All | All |
| Application | Lxml | Lxml | 2.1.2 | All | All | All |
| Application | Lxml | Lxml | 2.1.3 | All | All | All |
| Application | Lxml | Lxml | 2.1.4 | All | All | All |
| Application | Lxml | Lxml | 2.2 | - | All | All |
| Application | Lxml | Lxml | 2.2 | alpha1 | All | All |
| Application | Lxml | Lxml | 2.2 | beta1 | All | All |
| Application | Lxml | Lxml | 2.2 | beta2 | All | All |
| Application | Lxml | Lxml | 2.2 | beta3 | All | All |
| Application | Lxml | Lxml | 2.2 | beta4 | All | All |
| Application | Lxml | Lxml | 2.2.1 | All | All | All |
| Application | Lxml | Lxml | 2.2.2 | All | All | All |
| Application | Lxml | Lxml | 2.2.3 | All | All | All |
| Application | Lxml | Lxml | 2.2.4 | All | All | All |
| Application | Lxml | Lxml | 2.2.5 | All | All | All |
| Application | Lxml | Lxml | 2.2.6 | All | All | All |
| Application | Lxml | Lxml | 2.2.7 | All | All | All |
| Application | Lxml | Lxml | 2.2.8 | All | All | All |
| Application | Lxml | Lxml | 2.3 | - | All | All |
| Application | Lxml | Lxml | 2.3 | alpha1 | All | All |
| Application | Lxml | Lxml | 2.3 | alpha2 | All | All |
| Application | Lxml | Lxml | 2.3 | beta1 | All | All |
| Application | Lxml | Lxml | 2.3.1 | All | All | All |
| Application | Lxml | Lxml | 2.3.2 | All | All | All |
| Application | Lxml | Lxml | 2.3.3 | All | All | All |
| Application | Lxml | Lxml | 2.3.4 | All | All | All |
| Application | Lxml | Lxml | 2.3.5 | All | All | All |
| Application | Lxml | Lxml | 2.3.6 | All | All | All |
| Application | Lxml | Lxml | 3.0 | - | All | All |
| Application | Lxml | Lxml | 3.0 | alpha1 | All | All |
| Application | Lxml | Lxml | 3.0 | alpha2 | All | All |
| Application | Lxml | Lxml | 3.0 | beta1 | All | All |
| Application | Lxml | Lxml | 3.0.1 | All | All | All |
| Application | Lxml | Lxml | 3.0.2 | All | All | All |
| Application | Lxml | Lxml | 3.1 | beta1 | All | All |
| Application | Lxml | Lxml | 3.1.0 | All | All | All |
| Application | Lxml | Lxml | 3.1.1 | All | All | All |
| Application | Lxml | Lxml | 3.1.2 | All | All | All |
| Application | Lxml | Lxml | 3.2.0 | All | All | All |
| Application | Lxml | Lxml | 3.2.1 | All | All | All |
| Application | Lxml | Lxml | 3.2.2 | All | All | All |
| Application | Lxml | Lxml | 3.2.3 | All | All | All |
| Application | Lxml | Lxml | 3.2.4 | All | All | All |
| Application | Lxml | Lxml | 3.2.5 | All | All | All |
| Application | Lxml | Lxml | 3.3.0 | - | All | All |
| Application | Lxml | Lxml | 3.3.0 | beta1 | All | All |
| Application | Lxml | Lxml | 3.3.0 | beta2 | All | All |
| Application | Lxml | Lxml | 3.3.0 | beta3 | All | All |
| Application | Lxml | Lxml | 3.3.0 | beta4 | All | All |
| Application | Lxml | Lxml | 3.3.0 | beta5 | All | All |
| Application | Lxml | Lxml | 3.3.1 | All | All | All |
| Application | Lxml | Lxml | 3.3.2 | All | All | All |
| Application | Lxml | Lxml | 3.3.3 | All | All | All |
| Application | Lxml | Lxml | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Full Disclosure: Re: lxml (python lib) vulnerability | FULLDISC | seclists.org | Exploit |
| lxml changelog | CONFIRM | lxml.de | |
| Debian -- Security Information -- DSA-2941-1 lxml | DEBIAN | www.debian.org | |
| [lxml] lxml.html.clean vulnerability | MLIST | mailman-mail5.webfaction.com | Exploit |
| Support / Security / Advisories / / MDVSA-2015:112 | Mandriva | MANDRIVA | www.mandriva.com | |
| Security Advisory SA58013 - lxml "clean_html()" HTML Cleaning Bypass Vulnerability - Secunia | SECUNIA | secunia.com | Vendor Advisory |
| Security Advisory SA59008 - SUSE update for python-lxml - Secunia | SECUNIA | secunia.com | |
| Mageia Advisory: MGASA-2014-0218 - Updated python-lxml package fix CVE-2014-3146 | CONFIRM | advisories.mageia.org | |
| USN-2217-1: lxml vulnerability | Ubuntu | UBUNTU | www.ubuntu.com | |
| Security Advisory SA58744 - Debian update for lxml - Secunia | SECUNIA | secunia.com | |
| lxml 'clean_html' Function Security Bypass Vulnerability | BID | www.securityfocus.com | Exploit |
| Full Disclosure: lxml (python lib) vulnerability | FULLDISC | seclists.org | |
| oss-security - Re: CVE request: python-lxml clean_html() input sanitization flaw | MLIST | www.openwall.com | |
| openSUSE-SU-2014:0735-1: moderate: python-lxml: Fixed input sanitization | SUSE | lists.opensuse.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 670237 EulerOS Security Update for python-lxml (EulerOS-SA-2021-1839)