CVE-2014-3146

high-risk

Published 2014-05-14

Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.

Do I need to act?

4.3% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

39155

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Lxml

Affected Vendors

Lxml

References (28)

http://advisories.mageia.org/MGASA-2014-0218.html

http://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html

http://lxml.de/3.3/changes-3.3.5.html

http://seclists.org/fulldisclosure/2014/Apr/210

Exploit http://seclists.org/fulldisclosure/2014/Apr/319

Vendor Advisory http://secunia.com/advisories/58013

http://secunia.com/advisories/58744

http://secunia.com/advisories/59008

http://www.debian.org/security/2014/dsa-2941

http://www.mandriva.com/security/advisories?name=MDVSA-2015:112

http://www.openwall.com/lists/oss-security/2014/05/09/7

Exploit http://www.securityfocus.com/bid/67159

http://www.ubuntu.com/usn/USN-2217-1

Exploit https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html

http://advisories.mageia.org/MGASA-2014-0218.html

http://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html

http://lxml.de/3.3/changes-3.3.5.html

http://seclists.org/fulldisclosure/2014/Apr/210

Exploit http://seclists.org/fulldisclosure/2014/Apr/319

Vendor Advisory http://secunia.com/advisories/58013

and 8 more references

/ 100

high-risk

Severity 23/34 · High

Exploitability 14/34 · Moderate

Exposure 30/34 · Critical