PYSEC-2014-9

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/lxml/PYSEC-2014-9.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2014-9

Aliases

Published

2014-05-14T19:55:00Z

Modified

2023-11-08T03:57:37.141654Z

Summary

[none]

Details

Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.

References

Affected packages

PyPI / lxml

Package

Name: lxml; View open source insights on deps.dev
Purl: pkg:pypi/lxml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.3.5

Affected versions

0.*

0.9

0.9.1

0.9.2

1.*

1.0.beta

1.0

1.0.1

1.0.2

1.0.3

1.0.4

1.1alpha

1.1beta

1.1

1.1.1

1.1.2

1.2

1.2.1

1.3beta

1.3

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

2.*

2.0alpha1

2.0alpha2

2.0alpha3

2.0alpha4

2.0alpha5

2.0alpha6

2.0beta1

2.0beta2

2.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.1alpha1

2.1beta1

2.1beta2

2.1beta3

2.1

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.2alpha1

2.2beta1

2.2beta2

2.2beta3

2.2beta4

2.2

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.3alpha1

2.3alpha2

2.3beta1

2.3

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

3.*

3.0

3.0.1

3.0.2

3.1beta1

3.1.0

3.1.1

3.1.2

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.3.0beta1

3.3.0beta2

3.3.0beta3

3.3.0beta4

3.3.0beta5

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/lxml/PYSEC-2014-9.yaml"