Incomplete Blacklist Vulnerability in lxml Library for Python Web Applications
CVE-2014-3146

6.1MEDIUM

Key Information:

Vendor

Lxml

Status
Lxml
Vendor
CVE Published:
14 May 2014

What is CVE-2014-3146?

An incomplete blacklist vulnerability exists in the lxml.html.clean module of the lxml library, allowing remote attackers to perform cross-site scripting (XSS) attacks. This flaw can be exploited by sending specially crafted control characters in the link scheme through the clean_html function. By failing to adequately sanitize inputs, affected versions prior to 3.3.5 expose Python web applications utilizing lxml to potential security vulnerabilities, making it crucial for developers to apply necessary updates and implement security best practices.

References

http://www.debian.org/security/2014/dsa-2941
vendor-advisoryx_refsource_DEBIAN
http://lxml.de/3.3/changes-3.3.5.html
x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2014/05/09/7
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.