CVE-2014-3146

Published: 14 May 2014

Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.

Priority

Medium

Status

Package Release Status
lxml
Launchpad, Ubuntu, Debian
Upstream
Released (3.3.5)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (3.3.3-1ubuntu0.1)
Patches:
Upstream: https://github.com/lxml/lxml/commit/e86b294f1f81b899a59925123560ff924a72f1cc