Cross-site Scripting (XSS) Affecting lxml package, versions [,3.3.5)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
2.51% (91st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-LXML-40279
  • published15 Apr 2014
  • disclosed15 Apr 2014
  • creditksimka

Introduced: 15 Apr 2014

CVE-2014-3146  (opens in a new tab)
CWE-79  (opens in a new tab)

Overview

lxml is a Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API. Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.

Details

<>

References

CVSS Base Scores

version 3.1