CVE-2014-3146: lxml Cross-site Scripting Via Control Characters
(updated )
HTML cleaning can fail to strip Javascript links that mix control characters into the link scheme.
References
- github.com/advisories/GHSA-57qw-cc2g-pv5p
- github.com/lxml/lxml
- github.com/lxml/lxml/commit/3f3082e0a67851cde26a48da3d1f4b75d8aa07ec
- github.com/lxml/lxml/commit/86e81ab393ba14c1be71284675851a3bdce57d69
- github.com/lxml/lxml/commit/e86b294f1f81b899a59925123560ff924a72f1cc
- github.com/lxml/lxml/pull/273
- github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2014-9.yaml
- mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html
- nvd.nist.gov/vuln/detail/CVE-2014-3146
- web.archive.org/web/20140724172044/http://secunia.com/advisories/58013
- web.archive.org/web/20140805110535/http://secunia.com/advisories/59008
- web.archive.org/web/20140806061046/http://secunia.com/advisories/58744
- web.archive.org/web/20141017122607/https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html
- web.archive.org/web/20150523055039/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2015:112/?name=MDVSA-2015:112
- web.archive.org/web/20200228180542/http://www.securityfocus.com/bid/67159
Code Behaviors & Features
Detect and mitigate CVE-2014-3146 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →