CVE-2014-3146: Code Injection

May 14, 2014 (updated December 28, 2017)

Incomplete denylist in the lxml.html.clean module in lxml allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.

References

bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3146
github.com/lxml/lxml/commit/e86b294f1f81b899a59925123560ff924a72f1cc
mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007129.html

Code Behaviors & Features

Detect and mitigate CVE-2014-3146 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →