CVSS 6.1 · MEDIUM
CVE-2014-3146
Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.
Ver en NVDSeveridad
Puntaje: 6.1(MEDIUM)
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NAV: NETWORK
AC: LOW
PR: NONE
UI: REQUIRED
S: CHANGED
C: LOW
I: LOW
A: NONE
Tipo de falla (CWE):
NVD-CWE-OtherCWE-79EPSS
Probabilidad de explotación (próx. 30 días): 0.0427 (4.3%)
Percentil: 88.9%
EPSS: 2026-05-06
Afecta
lxml:lxmlDescripción técnica
Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.
Publicada: 14/5/2014, 19:55:11
Última modificación: 6/5/2026, 22:30:45
Referencias
- http://advisories.mageia.org/MGASA-2014-0218.html
- http://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html
- http://lxml.de/3.3/changes-3.3.5.html
- http://seclists.org/fulldisclosure/2014/Apr/210
- http://seclists.org/fulldisclosure/2014/Apr/319
- http://secunia.com/advisories/58013
- http://secunia.com/advisories/58744
- http://secunia.com/advisories/59008