[Forgot Password]
Login  Register Subscribe

30481

 
 

423868

 
 

256040

 
 

909

 
 

199103

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2014-3146Date: (C)2014-05-15   (M)2023-12-22


Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 4.3
Exploit Score: 8.6
Impact Score: 2.9
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality: NONE
Integrity: PARTIAL
Availability: NONE
  
Reference:
http://seclists.org/fulldisclosure/2014/Apr/210
http://seclists.org/fulldisclosure/2014/Apr/319
SECUNIA-58013
SECUNIA-58744
SECUNIA-59008
BID-67159
DSA-2941
MDVSA-2015:112
USN-2217-1
https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html
http://www.openwall.com/lists/oss-security/2014/05/09/7
http://advisories.mageia.org/MGASA-2014-0218.html
http://lxml.de/3.3/changes-3.3.5.html
openSUSE-SU-2014:0735

CPE    94
cpe:/a:lxml:lxml:3.0:alpha2
cpe:/a:lxml:lxml:3.0:alpha1
cpe:/a:lxml:lxml:3.3.1
cpe:/a:lxml:lxml:3.3.3
...
OVAL    3
oval:org.secpod.oval:def:52213
oval:org.secpod.oval:def:1300299
oval:org.secpod.oval:def:701940

© SecPod Technologies