VDB
PYSEC-2014-9
PYSEC-2014-9
PUBLISHED
CVSS 9.300000190734863 CRITICAL
Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.
Risk Scores
CVSS v4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PyPI | lxml | 0, 0.9, 0.9.1 |
Timeline
- May 14, 2014 CVE Published
- Nov 8, 2023 CVE Updated
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Security Advisory
References
- http://lxml.de/3.3/changes-3.3.5.html url
- http://seclists.org/fulldisclosure/2014/Apr/210 url
- http://www.securityfocus.com/bid/67159 url
- http://www.openwall.com/lists/oss-security/2014/05/09/7 url
- http://secunia.com/advisories/58013 advisory
- http://seclists.org/fulldisclosure/2014/Apr/319 url
- https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html url
- http://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html url
- http://secunia.com/advisories/58744 advisory
- http://secunia.com/advisories/59008 advisory
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:112 advisory
- http://advisories.mageia.org/MGASA-2014-0218.html advisory
- http://www.ubuntu.com/usn/USN-2217-1 advisory
- http://www.debian.org/security/2014/dsa-2941 advisory