CVE-2014-3146 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2014-3146

CVE-2014-3146

May 14, 2014

Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.

Affected Packages

lxml (PYTHON):

Affected version(s) >=0.9 <3.3.5

Fix Suggestion:

Update to version 3.3.5

Related Resources (28)

http://secunia.com/advisories/58013

http://secunia.com/advisories/59008

https://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2014-9.yaml

https://github.com/lxml/lxml/commit/e86b294f1f81b899a59925123560ff924a72f1cc

http://www.debian.org/security/2014/dsa-2941

http://www.securityfocus.com/bid/67159

https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html

http://www.openwall.com/lists/oss-security/2014/05/09/7

https://web.archive.org/web/20200228180542/http://www.securityfocus.com/bid/67159

http://lxml.de/3.3/changes-3.3.5.html

http://www.ubuntu.com/usn/USN-2217-1

https://github.com/lxml/lxml

https://github.com/lxml/lxml/pull/273

http://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html

https://web.archive.org/web/20140724172044/http://secunia.com/advisories/58013

http://advisories.mageia.org/MGASA-2014-0218.html

http://seclists.org/fulldisclosure/2014/Apr/319

https://web.archive.org/web/20140805110535/http://secunia.com/advisories/59008

https://web.archive.org/web/20140806061046/http://secunia.com/advisories/58744

https://github.com/lxml/lxml/commit/3f3082e0a67851cde26a48da3d1f4b75d8aa07ec

https://web.archive.org/web/20150523055039/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2015:112/?name=MDVSA-2015:112

http://www.mandriva.com/security/advisories?name=MDVSA-2015:112

http://secunia.com/advisories/58744

https://access.redhat.com/security/cve/CVE-2014-3146

http://seclists.org/fulldisclosure/2014/Apr/210

https://github.com/lxml/lxml/commit/86e81ab393ba14c1be71284675851a3bdce57d69

https://nvd.nist.gov/vuln/detail/CVE-2014-3146

https://web.archive.org/web/20141017122607/https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html

Do you need more information?

CVSS v4

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

PASSIVE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

LOW

Subsequent System Integrity

LOW

Subsequent System Availability

NONE

CVSS v3

Base Score:

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

CVSS v2

Base Score:

4.3

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

EPSS

Base Score:

4.27

Products

Solutions

Resources

Company

Compare

Developer Tools