Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-3146

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2014-3146
Last Modified 14 Apr 2015 10:00:26
Published 14 May 2014 03:55:11
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2014-3146

Summary

Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.

Vulnerable Systems

Application

  • Lxml 0.5

  • Lxml 0.5.1

  • Lxml 0.6

  • Lxml 0.7

  • Lxml 0.8

  • Lxml 0.9

  • Lxml 0.9.1

  • Lxml 0.9.2

  • Lxml 1.0

  • Lxml 1.0.1

  • Lxml 1.0.2

  • Lxml 1.0.3

  • Lxml 1.0.4

  • Lxml 1.1

  • Lxml 1.1.1

  • Lxml 1.1.2

  • Lxml 1.2

  • Lxml 1.2.1

  • Lxml 1.3

  • Lxml 1.3.1

  • Lxml 1.3.2

  • Lxml 1.3.3

  • Lxml 1.3.4

  • Lxml 1.3.5

  • Lxml 1.3.6

  • Lxml 2.0

  • Lxml 2.0.1

  • Lxml 2.0.10

  • Lxml 2.0.11

  • Lxml 2.0.2

  • Lxml 2.0.3

  • Lxml 2.0.4

  • Lxml 2.0.5

  • Lxml 2.0.6

  • Lxml 2.0.7

  • Lxml 2.0.8

  • Lxml 2.0.9

  • Lxml 2.1

  • Lxml 2.1.1

  • Lxml 2.1.2

  • Lxml 2.1.3

  • Lxml 2.1.4

  • Lxml 2.2

  • Lxml 2.2.1

  • Lxml 2.2.2

  • Lxml 2.2.3

  • Lxml 2.2.4

  • Lxml 2.2.5

  • Lxml 2.2.6

  • Lxml 2.2.7

  • Lxml 2.2.8

  • Lxml 2.3

  • Lxml 2.3.1

  • Lxml 2.3.2

  • Lxml 2.3.3

  • Lxml 2.3.4

  • Lxml 2.3.5

  • Lxml 2.3.6

  • Lxml 3.0

  • Lxml 3.0.1

  • Lxml 3.0.2

  • Lxml 3.1

  • Lxml 3.1.0

  • Lxml 3.1.1

  • Lxml 3.1.2

  • Lxml 3.2.0

  • Lxml 3.2.1

  • Lxml 3.2.2

  • Lxml 3.2.3

  • Lxml 3.2.4

  • Lxml 3.2.5

  • Lxml 3.3.0

  • Lxml 3.3.1

  • Lxml 3.3.2

  • Lxml 3.3.3

  • Lxml 3.3.4


References

MLIST - [lxml] 20140415 lxml.html.clean vulnerability

BID - 67159

MLIST - [oss-security] 20140509 Re: CVE request: python-lxml clean_html() input sanitization flaw

SECUNIA - 58013

FULLDISC - 20140430 Re: lxml (python lib) vulnerability

FULLDISC - 20140415 lxml (python lib) vulnerability

CONFIRM - http://lxml.de/3.3/changes-3.3.5.html

UBUNTU - USN-2217-1

SUSE - openSUSE-SU-2014:0735

SECUNIA - 58744

SECUNIA - 59008

MANDRIVA - MDVSA-2015:112

CONFIRM - http://advisories.mageia.org/MGASA-2014-0218.html


Last Updated: 27 May 2016 11:05:18