Your submission was sent successfully! Close

CVE-2014-3146

Published: 14 May 2014

Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.

Priority

Medium

Status

Package Release Status
lxml
Launchpad, Ubuntu, Debian
lucid Ignored
(reached end-of-life)
precise
Released (2.3.2-1ubuntu0.2)
quantal Ignored
(reached end-of-life)
saucy
Released (3.2.0-1ubuntu0.1)
trusty
Released (3.3.3-1ubuntu0.1)
upstream
Released (3.3.5)
Patches:
upstream: https://github.com/lxml/lxml/commit/e86b294f1f81b899a59925123560ff924a72f1cc