CVE-2014-3146
published 2014-05-14CVE-2014-3146: Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via…
PriorityP341medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
6.33%
92.8th percentile
Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.
Affected
100 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | lxml | < lxml 3.3.5-1 (bookworm) | lxml 3.3.5-1 (bookworm) |
| debian | lxml | < lxml 4.2.5-1 (bookworm) | lxml 4.2.5-1 (bookworm) |
| lxml | lxml | < 4.2.5 | 4.2.5 |
| lxml | lxml | <= 3.3.4 | — |
| lxml | lxml | — | — |
| lxml | lxml | — | — |
| lxml | lxml | — | — |
| lxml | lxml | — | — |
| lxml | lxml | — | — |
| lxml | lxml | — | — |
| lxml | lxml | — | — |
| lxml | lxml | — | — |
| lxml | lxml | — | — |
| lxml | lxml | — | — |
| lxml | lxml | — | — |
| lxml | lxml | — | — |
| lxml | lxml | — | — |
| lxml | lxml | — | — |
| lxml | lxml | — | — |
| lxml | lxml | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
ghsa6.1MEDIUM
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_msrc6.1MEDIUM
vendor_redhat6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping allowing a remote attacker to conduct XSS attacks as d
vendor_msrc·2018-12-11·CVSS 6.1
CVE-2018-19787 [MEDIUM] CWE-79 An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping allowing a remote attacker to conduct XSS attacks as d
An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping allowing a remote attacker to conduct XSS attacks as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See th
Red Hat
python-lxml: XSS in lxml.html.clean module in lxml/html/clean.py
vendor_redhat·2018-09-09·CVSS 6.1
CVE-2018-19787 [MEDIUM] CWE-79 python-lxml: XSS in lxml.html.clean module in lxml/html/clean.py
python-lxml: XSS in lxml.html.clean module in lxml/html/clean.py
An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.
Package: python-lxml (Red Hat Enterprise Linux 5) - Will not fix
Package: python-lxml (Red Hat Enterprise Linux 6) - Will not fix
Package: python-lxml (Red Hat Enterprise Linux 7) - Will not fix
Package: python-lxml (Red Hat Enterprise Linux 8) - Will not fix
Package: python-lxml (Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)) - Will not fix
Package: python-lxml (Red Hat OpenStack Platform 10 (Newton)) - Will not
Debian
CVE-2018-19787: lxml - An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.htm...
vendor_debian·2018·CVSS 6.1
CVE-2018-19787 [MEDIUM] CVE-2018-19787: lxml - An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.htm...
An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.
Scope: local
bookworm: resolved (fixed in 4.2.5-1)
bullseye: resolved (fixed in 4.2.5-1)
forky: resolved (fixed in 4.2.5-1)
sid: resolved (fixed in 4.2.5-1)
trixie: resolved (fixed in 4.2.5-1)
Ubuntu
lxml vulnerability
vendor_ubuntu·2014-05-21
CVE-2014-3146 lxml vulnerability
Title: lxml vulnerability
Summary: lxml could allow cross-site scripting (XSS) attacks.
It was discovered that the lxml.html.clean module incorrectly stripped
control characters. An attacked could potentially exploit this to conduct
cross-site scripting (XSS) attacks.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Red Hat
python-lxml: clean_html input sanitization flaw
vendor_redhat·2014-04-15·CVSS 6.1
CVE-2014-3146 [MEDIUM] python-lxml: clean_html input sanitization flaw
python-lxml: clean_html input sanitization flaw
Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.
Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Package: python-lxml (Red Hat Enterprise Linux 5) - Will not fix
Package: python-lxml (Red Hat Enterprise Linux 6) - Will not fix
Package: python-lxml (Red Hat Enterprise Linux 7) - Will not fix
Debian
CVE-2014-3146: lxml - Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before ...
vendor_debian·2014·CVSS 6.1
CVE-2014-3146 [MEDIUM] CVE-2014-3146: lxml - Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before ...
Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.
Scope: local
bookworm: resolved (fixed in 3.3.5-1)
bullseye: resolved (fixed in 3.3.5-1)
forky: resolved (fixed in 3.3.5-1)
sid: resolved (fixed in 3.3.5-1)
trixie: resolved (fixed in 3.3.5-1)
OSV
lxml Cross-site Scripting Via Control Characters
osv·2022-05-14
CVE-2014-3146 [MEDIUM] lxml Cross-site Scripting Via Control Characters
lxml Cross-site Scripting Via Control Characters
Incomplete blacklist vulnerability in the `lxml.html.clean` module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the `clean_html` function.
GHSA
lxml Cross-site Scripting Via Control Characters
ghsa·2022-05-14
CVE-2014-3146 [MEDIUM] CWE-79 lxml Cross-site Scripting Via Control Characters
lxml Cross-site Scripting Via Control Characters
Incomplete blacklist vulnerability in the `lxml.html.clean` module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the `clean_html` function.
OSV
Improper Neutralization of Input During Web Page Generation in LXML
osv·2022-05-13·CVSS 6.1
CVE-2018-19787 [MEDIUM] Improper Neutralization of Input During Web Page Generation in LXML
Improper Neutralization of Input During Web Page Generation in LXML
An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.
GHSA
Improper Neutralization of Input During Web Page Generation in LXML
ghsa·2022-05-13·CVSS 6.1
CVE-2018-19787 [MEDIUM] CWE-79 Improper Neutralization of Input During Web Page Generation in LXML
Improper Neutralization of Input During Web Page Generation in LXML
An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.
OSV
CVE-2018-19787: An issue was discovered in lxml before 4
osv·2018-12-02·CVSS 6.1
CVE-2018-19787 [MEDIUM] CVE-2018-19787: An issue was discovered in lxml before 4
An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.
OSV
CVE-2014-3146: Incomplete blacklist vulnerability in the lxml
osv·2014-05-14·CVSS 6.1
CVE-2014-3146 [MEDIUM] CVE-2014-3146: Incomplete blacklist vulnerability in the lxml
Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.
No detection rules found.
Bugzilla
CVE-2018-19787 python-lxml: XSS in lxml.html.clean module in lxml/html/clean.py
bugzilla·2018-12-17·CVSS 6.1
CVE-2018-19787 [MEDIUM] CVE-2018-19787 python-lxml: XSS in lxml.html.clean module in lxml/html/clean.py
CVE-2018-19787 python-lxml: XSS in lxml.html.clean module in lxml/html/clean.py
An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.
References:
https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109
Discussion:
Created python-lxml tracking bugs for this issue:
Affects: fedora-all [bug 1660236]
---
Easy to reproduce. As an example, 'poc' should be cleaned to 'poc' but isn't.
Apparently Internet Explorer can somehow execute "j a v a s c r i p t:" (with spaces). I don't have any experience with that, but I'll trust
Bugzilla
CVE-2014-3146 python-lxml: clean_html input sanitization flaw
bugzilla·2014-04-29·CVSS 6.1
CVE-2014-3146 [MEDIUM] CVE-2014-3146 python-lxml: clean_html input sanitization flaw
CVE-2014-3146 python-lxml: clean_html input sanitization flaw
The lxml.html.clean module cleans up HTML by removing embedded or script content, special tags, CSS style annotations and much more. It was found [1] that the clean_html() function, provided by the lxml.html.clean module, did not properly clean HTML input if it included non-printed characters (\x01-\x08). A remote attacker could use this flaw to serve malicious content to an application using the clean_html() function to process HTML, possibly allowing the attacker to inject malicious code into a website generated by this application.
This issue has been reported upstream at [2] and a patch is available at [3].
[1] http://seclists.org/fulldisclosure/2014/Apr/210
[2] https://mailman-mail5.webfaction.com/pipermail/lxml/2014-Apr
http://advisories.mageia.org/MGASA-2014-0218.htmlhttp://lists.opensuse.org/opensuse-updates/2014-05/msg00083.htmlhttp://lxml.de/3.3/changes-3.3.5.htmlhttp://seclists.org/fulldisclosure/2014/Apr/210http://seclists.org/fulldisclosure/2014/Apr/319http://secunia.com/advisories/58013http://secunia.com/advisories/58744http://secunia.com/advisories/59008http://www.debian.org/security/2014/dsa-2941http://www.mandriva.com/security/advisories?name=MDVSA-2015:112http://www.openwall.com/lists/oss-security/2014/05/09/7http://www.securityfocus.com/bid/67159http://www.ubuntu.com/usn/USN-2217-1https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.htmlhttp://advisories.mageia.org/MGASA-2014-0218.htmlhttp://lists.opensuse.org/opensuse-updates/2014-05/msg00083.htmlhttp://lxml.de/3.3/changes-3.3.5.htmlhttp://seclists.org/fulldisclosure/2014/Apr/210http://seclists.org/fulldisclosure/2014/Apr/319http://secunia.com/advisories/58013http://secunia.com/advisories/58744http://secunia.com/advisories/59008http://www.debian.org/security/2014/dsa-2941http://www.mandriva.com/security/advisories?name=MDVSA-2015:112http://www.openwall.com/lists/oss-security/2014/05/09/7http://www.securityfocus.com/bid/67159http://www.ubuntu.com/usn/USN-2217-1https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html
2014-05-14
Published