{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-04-15T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-12-28T19:57:01.000Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "DSA-2941", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2014/dsa-2941"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://lxml.de/3.3/changes-3.3.5.html"}, {"name": "[oss-security] 20140509 Re: CVE request: python-lxml clean_html() input sanitization flaw", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2014/05/09/7"}, {"name": "USN-2217-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2217-1"}, {"name": "[lxml] 20140415 lxml.html.clean vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html"}, {"name": "58744", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/58744"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://advisories.mageia.org/MGASA-2014-0218.html"}, {"name": "67159", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/67159"}, {"name": "MDVSA-2015:112", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:112"}, {"name": "58013", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/58013"}, {"name": "20140415 lxml (python lib) vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2014/Apr/210"}, {"name": "59008", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/59008"}, {"name": "openSUSE-SU-2014:0735", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html"}, {"name": "20140430 Re: lxml (python lib) vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2014/Apr/319"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:35:56.613Z"}, "title": "CVE Program Container", "references": [{"name": "DSA-2941", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2014/dsa-2941"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://lxml.de/3.3/changes-3.3.5.html"}, {"name": "[oss-security] 20140509 Re: CVE request: python-lxml clean_html() input sanitization flaw", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2014/05/09/7"}, {"name": "USN-2217-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2217-1"}, {"name": "[lxml] 20140415 lxml.html.clean vulnerability", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html"}, {"name": "58744", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/58744"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://advisories.mageia.org/MGASA-2014-0218.html"}, {"name": "67159", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/67159"}, {"name": "MDVSA-2015:112", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:112"}, {"name": "58013", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/58013"}, {"name": "20140415 lxml (python lib) vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2014/Apr/210"}, {"name": "59008", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/59008"}, {"name": "openSUSE-SU-2014:0735", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html"}, {"name": "20140430 Re: lxml (python lib) vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2014/Apr/319"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-12-17T20:54:15.303305Z", "id": "CVE-2014-3146", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T21:03:02.761Z"}}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-3146", "datePublished": "2014-05-14T19:00:00.000Z", "dateReserved": "2014-05-02T00:00:00.000Z", "dateUpdated": "2025-12-17T21:03:02.761Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.debian.org/security/2014/dsa-2941", "name": "DSA-2941", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"]}, {"url": "http://lxml.de/3.3/changes-3.3.5.html", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2014/05/09/7", "name": "[oss-security] 20140509 Re: CVE request: python-lxml clean_html() input sanitization flaw", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "http://www.ubuntu.com/usn/USN-2217-1", "name": "USN-2217-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"]}, {"url": "https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html", "name": "[lxml] 20140415 lxml.html.clean vulnerability", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "http://secunia.com/advisories/58744", "name": "58744", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"]}, {"url": "http://advisories.mageia.org/MGASA-2014-0218.html", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "http://www.securityfocus.com/bid/67159", "name": "67159", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"]}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:112", "name": "MDVSA-2015:112", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"]}, {"url": "http://secunia.com/advisories/58013", "name": "58013", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2014/Apr/210", "name": "20140415 lxml (python lib) vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"]}, {"url": "http://secunia.com/advisories/59008", "name": "59008", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"]}, {"url": "http://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html", "name": "openSUSE-SU-2014:0735", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2014/Apr/319", "name": "20140430 Re: lxml (python lib) vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:35:56.613Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2014-3146", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-17T20:54:15.303305Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T20:47:07.086Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-04-15T00:00:00.000Z", "references": [{"url": "http://www.debian.org/security/2014/dsa-2941", "name": "DSA-2941", "tags": ["vendor-advisory", "x_refsource_DEBIAN"]}, {"url": "http://lxml.de/3.3/changes-3.3.5.html", "tags": ["x_refsource_CONFIRM"]}, {"url": "http://www.openwall.com/lists/oss-security/2014/05/09/7", "name": "[oss-security] 20140509 Re: CVE request: python-lxml clean_html() input sanitization flaw", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "http://www.ubuntu.com/usn/USN-2217-1", "name": "USN-2217-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"]}, {"url": "https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html", "name": "[lxml] 20140415 lxml.html.clean vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "http://secunia.com/advisories/58744", "name": "58744", "tags": ["third-party-advisory", "x_refsource_SECUNIA"]}, {"url": "http://advisories.mageia.org/MGASA-2014-0218.html", "tags": ["x_refsource_CONFIRM"]}, {"url": "http://www.securityfocus.com/bid/67159", "name": "67159", "tags": ["vdb-entry", "x_refsource_BID"]}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:112", "name": "MDVSA-2015:112", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"]}, {"url": "http://secunia.com/advisories/58013", "name": "58013", "tags": ["third-party-advisory", "x_refsource_SECUNIA"]}, {"url": "http://seclists.org/fulldisclosure/2014/Apr/210", "name": "20140415 lxml (python lib) vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC"]}, {"url": "http://secunia.com/advisories/59008", "name": "59008", "tags": ["third-party-advisory", "x_refsource_SECUNIA"]}, {"url": "http://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html", "name": "openSUSE-SU-2014:0735", "tags": ["vendor-advisory", "x_refsource_SUSE"]}, {"url": "http://seclists.org/fulldisclosure/2014/Apr/319", "name": "20140430 Re: lxml (python lib) vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC"]}], "descriptions": [{"lang": "en", "value": "Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2017-12-28T19:57:01.000Z"}}}, "cveMetadata": {"cveId": "CVE-2014-3146", "state": "PUBLISHED", "dateUpdated": "2025-12-17T21:03:02.761Z", "dateReserved": "2014-05-02T00:00:00.000Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2014-05-14T19:00:00.000Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lxml:lxml:*:*:*:*:*:*:*:*", "matchCriteriaId": "FAAC1D54-E4B7-4212-A281-9AE313C7A9DC", "versionEndIncluding": "3.3.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:0.5:*:*:*:*:*:*:*", "matchCriteriaId": "299444A8-4017-4358-9B35-0A9C475E5FB2", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:0.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "C48BCC21-D20B-4390-870D-C88C9863D46B", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:0.6:*:*:*:*:*:*:*", "matchCriteriaId": "779553CC-B269-479D-8885-1251541AC8B3", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:0.7:*:*:*:*:*:*:*", "matchCriteriaId": "F73BEB9C-4F4F-4F63-81FF-0B65D6068DA4", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:0.8:*:*:*:*:*:*:*", "matchCriteriaId": "39876055-AAFD-4584-872E-044C111417B1", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:0.9:*:*:*:*:*:*:*", "matchCriteriaId": "25FD79CE-8C7C-4994-80D6-CA1E98C062EC", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:0.9.1:*:*:*:*:*:*:*", "matchCriteriaId": "C641DEEC-643D-48AA-A2BC-3066CD02D072", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:0.9.2:*:*:*:*:*:*:*", "matchCriteriaId": "C29C1834-7ADB-4444-B892-083CCA6FD0EA", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "08F26EDB-5E1C-453A-8332-6DF4FD0627F2", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:1.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "24F0DD2C-2836-4477-849A-F154C0BF37D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:1.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "4FD4F21D-D09A-488A-A457-2BB5589B6B31", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:1.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "B9DFE602-6616-4369-9CA7-5C35FA80A4B1", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:1.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "EB0F6513-1D7F-48D8-820C-F78A7935BE8A", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:1.1:*:*:*:*:*:*:*", "matchCriteriaId": "6F36E5C1-7DF3-4692-8FEE-F1007E57399B", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "4551FDBD-8975-4399-BD00-02EC03AD0CC5", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:1.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "F067084A-72E9-4D45-8EB9-534F718FD11C", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:1.2:*:*:*:*:*:*:*", "matchCriteriaId": "54021062-86DC-4B28-AD87-963F0C415798", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:1.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "2B01E478-3B3A-4B05-AEDC-6A404DB7803A", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:1.3:*:*:*:*:*:*:*", "matchCriteriaId": "20751814-185B-489F-AD35-239EA168D293", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:1.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "CB0286DD-FDA3-4B31-B579-6FD68BF88B87", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:1.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "1B56F992-FEE5-4EB0-BB5D-B55BC2A5CDCB", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:1.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "CFEEE806-93A1-4683-9524-66B969E96D9C", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:1.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "21DC60E8-18F6-414F-81A0-37EAEF9D73A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:1.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "6B693FE5-0F4F-441C-8D6D-B2B0C00F4784", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:1.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "3319AB13-F589-44CA-8936-3A4D23C3C8E7", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "DCC3B496-51EE-41E0-B785-E9E4FA530116", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "041CED1D-1D91-4BAC-8182-BE5870ADFEB7", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "0F93A757-1B1A-4E69-89FD-B738F80C560D", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "2E58E8C6-6979-4256-947C-887D7E3F611A", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "06AC5F6D-F72C-4D30-997D-0202D9CACA49", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "C2AFA1D4-265D-4B72-B6A0-9F31F4612C33", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "0A216360-8892-4118-96DE-77EB7D17CA51", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "8A3513EB-8A8F-43AE-B079-AA5E27569CDB", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "4EDD3E4E-A3C0-4686-BD91-9B58CBC74DAB", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "BDDCFAEE-9C4B-4610-81A5-A5AD4420D579", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.0.10:*:*:*:*:*:*:*", "matchCriteriaId": "88206B3E-503D-4C9C-85A2-8E1FB720E962", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.0.11:*:*:*:*:*:*:*", "matchCriteriaId": "AA9D682D-CF6B-43FB-A29D-50BC54FB3E99", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.1:alpha1:*:*:*:*:*:*", "matchCriteriaId": "925AF6FD-EB7C-48EA-8747-5066103C58A8", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.1:beta1:*:*:*:*:*:*", "matchCriteriaId": "940C521B-EF4D-4A90-B1E1-E52C9793D645", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.1:beta2:*:*:*:*:*:*", "matchCriteriaId": "F3AB9E27-9017-4207-A66E-199CFD9EE4B8", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.1:beta3:*:*:*:*:*:*", "matchCriteriaId": "8900D734-E782-4759-A4DD-D577A462042C", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "5C66C8E1-EE4E-4462-8844-15995FD1FB93", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "E9747A1D-D644-442B-B2AE-C8D962B187E4", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "777CB9D2-EACF-4F1A-B533-BFED0B27D214", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "58001941-9E40-45D7-9892-C79B7A8F3720", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.2:-:*:*:*:*:*:*", "matchCriteriaId": "4C7FE4FA-6C7C-4A3C-B2EE-C6B70C8A3F48", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.2:alpha1:*:*:*:*:*:*", "matchCriteriaId": "F7E1DFA9-CC7B-4E9F-A2E4-0FE8DF536101", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.2:beta1:*:*:*:*:*:*", "matchCriteriaId": "B40A7ED8-0D71-430E-BCF1-640D816C0230", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.2:beta2:*:*:*:*:*:*", "matchCriteriaId": "8790354C-5A4B-4CD3-ACB1-FE5AA0900281", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.2:beta3:*:*:*:*:*:*", "matchCriteriaId": "E1B6857F-0990-4083-9876-5DDF5FA473B0", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.2:beta4:*:*:*:*:*:*", "matchCriteriaId": "049C39E8-4804-4048-9999-A1EAFD5B910B", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "C51525BB-5967-4C7F-9188-5E3895B3A2CB", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "A9DC336F-02E7-4E1C-A8EA-21DEE84A52F2", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "CD4FB16F-6BFA-4D2A-8D48-1A01154C3F85", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "00400181-FA11-49CE-B932-4F21A8278D81", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "6392F721-9F0D-4BBC-B392-A9C6F14F7F17", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.2.6:*:*:*:*:*:*:*", "matchCriteriaId": "95F6166A-3856-451D-AFAA-56C5D09752D1", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.2.7:*:*:*:*:*:*:*", "matchCriteriaId": "DE0D09BB-8796-40F1-8599-107B9C775C12", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.2.8:*:*:*:*:*:*:*", "matchCriteriaId": "7550F3D6-4FCC-4AD5-A92D-D984A6824AB4", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.3:-:*:*:*:*:*:*", "matchCriteriaId": "30EAB48D-A728-46FB-92B3-0B97CF85E72B", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.3:alpha1:*:*:*:*:*:*", "matchCriteriaId": "127C133B-5022-46FB-9D6F-05FB2E83CA87", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.3:alpha2:*:*:*:*:*:*", "matchCriteriaId": "D3E49A50-3861-4265-BB2B-ABEA50C6DE7E", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.3:beta1:*:*:*:*:*:*", "matchCriteriaId": "D72B1891-2E24-4DA7-B243-80306866F934", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "FDB6BCDC-7207-4895-8746-E40DDD1D5585", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "1F0D4EB6-5ED8-4018-A1FE-9BEB6D511830", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "627C0FA1-7425-4E6B-92C5-652D4F62ECAD", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "70059F02-B63D-4583-8AD4-769BA648317F", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "BC4FCBFB-632A-451E-8A17-C4A8F8A65AAF", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:2.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "8763BB95-EBF9-40A1-908C-4207D87FE578", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.0:-:*:*:*:*:*:*", "matchCriteriaId": "BC015741-8F99-4F3D-B3F6-07BF23A70DC0", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "D1A35DEE-2561-4B4A-BFE0-C443C70175BA", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "6FBFD00B-5821-400E-A83C-FB0D1C26A4DE", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "9AB7BA95-5BEC-4AC6-8F93-5D918D1B31D0", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "FDAEFE73-F873-4F48-A274-F6CCB40766DA", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "1ED8D046-5701-4AD4-BFA6-D186AA596B26", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.1:beta1:*:*:*:*:*:*", "matchCriteriaId": "685D86D0-4A37-4B9B-BD70-C1127EA51907", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "9B72ABBA-9319-4BFE-8F3B-F6F36F64EB12", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "F2684097-3082-4612-8E1B-5CA6D2E20E3E", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "7981486F-129D-433B-A489-0AB90A2062E5", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "45C3BB16-3D44-43E8-AEF5-3454495F0CC0", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "CD521388-6E28-427E-9086-79BCEDB1025F", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "6BFA21DA-4807-496D-B63A-F95E6E9F39FF", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "87B742D1-4838-4D48-A17A-386E0CF517B1", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "B1191E15-DC8D-4D2B-8563-10DFFF60CD51", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "6BA34CA6-7309-490C-8DB7-7F051F9C3CDE", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.3.0:-:*:*:*:*:*:*", "matchCriteriaId": "E58C7CFD-0135-4D59-8D9D-A12A7BACF387", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.3.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "5FE30C26-028B-41A1-842C-1AF19E551F54", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.3.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "188EA215-8ACA-482F-9283-6780E29B5F4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.3.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "738B75AC-0AFC-4108-88A1-80EC6D03FBD6", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.3.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "99226ADA-A62E-4366-BDD1-1D33BDCA813F", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.3.0:beta5:*:*:*:*:*:*", "matchCriteriaId": "2F1E30E8-484C-4925-9B6F-DD266AC602B7", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "02E0191B-661F-4C60-AC7F-68B95E730013", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "7922BC86-D318-404B-A39B-8AC9B1AF70BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:lxml:lxml:3.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "26BFDC2C-CAFE-4301-903F-31713885EB94", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function."}, {"lang": "es", "value": "Vulnerabilidad de lista negra incompleta en el m\u00f3dulo lxml.html.clean en lxml anterior a 3.3.5 permite a atacantes remotos realizar ataques de XSS a trav\u00e9s de caracteres de control en la esquema de enlace hacia la funci\u00f3n clean_html."}], "evaluatorComment": "Per: http://cwe.mitre.org/data/definitions/184.html\n\n\"CWE-184: Incomplete Blacklist\"", "id": "CVE-2014-3146", "lastModified": "2026-05-06T22:30:45.220", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2014-05-14T19:55:11.653", "references": [{"source": "secalert@redhat.com", "url": "http://advisories.mageia.org/MGASA-2014-0218.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html"}, {"source": "secalert@redhat.com", "url": "http://lxml.de/3.3/changes-3.3.5.html"}, {"source": "secalert@redhat.com", "url": "http://seclists.org/fulldisclosure/2014/Apr/210"}, {"source": "secalert@redhat.com", "tags": ["Exploit"], "url": "http://seclists.org/fulldisclosure/2014/Apr/319"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/58013"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/58744"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/59008"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2014/dsa-2941"}, {"source": "secalert@redhat.com", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:112"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2014/05/09/7"}, {"source": "secalert@redhat.com", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/67159"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-2217-1"}, {"source": "secalert@redhat.com", "tags": ["Exploit"], "url": "https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://advisories.mageia.org/MGASA-2014-0218.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lxml.de/3.3/changes-3.3.5.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2014/Apr/210"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://seclists.org/fulldisclosure/2014/Apr/319"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/58013"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/58744"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/59008"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2014/dsa-2941"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:112"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2014/05/09/7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/67159"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-2217-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "python-lxml: clean_html input sanitization flaw", "id": "1092613", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1092613"}, "csaw": false, "cvss": {"cvss_base_score": "2.6", "cvss_scoring_vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "status": "draft"}, "details": ["Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function."], "name": "CVE-2014-3146", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "python-lxml", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "python-lxml", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "python-lxml", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2014-04-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-3146\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-3146"], "statement": "Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Low"}

{}