6.1

CVE-2014-3146

Exploit
Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LxmlLxml Version <= 3.3.4
LxmlLxml Version0.5
LxmlLxml Version0.5.1
LxmlLxml Version0.6
LxmlLxml Version0.7
LxmlLxml Version0.8
LxmlLxml Version0.9
LxmlLxml Version0.9.1
LxmlLxml Version0.9.2
LxmlLxml Version1.0
LxmlLxml Version1.0.1
LxmlLxml Version1.0.2
LxmlLxml Version1.0.3
LxmlLxml Version1.0.4
LxmlLxml Version1.1
LxmlLxml Version1.1.1
LxmlLxml Version1.1.2
LxmlLxml Version1.2
LxmlLxml Version1.2.1
LxmlLxml Version1.3
LxmlLxml Version1.3.1
LxmlLxml Version1.3.2
LxmlLxml Version1.3.3
LxmlLxml Version1.3.4
LxmlLxml Version1.3.5
LxmlLxml Version1.3.6
LxmlLxml Version2.0
LxmlLxml Version2.0.1
LxmlLxml Version2.0.2
LxmlLxml Version2.0.3
LxmlLxml Version2.0.4
LxmlLxml Version2.0.5
LxmlLxml Version2.0.6
LxmlLxml Version2.0.7
LxmlLxml Version2.0.8
LxmlLxml Version2.0.9
LxmlLxml Version2.0.10
LxmlLxml Version2.0.11
LxmlLxml Version2.1 Updatealpha1
LxmlLxml Version2.1 Updatebeta1
LxmlLxml Version2.1 Updatebeta2
LxmlLxml Version2.1 Updatebeta3
LxmlLxml Version2.1.1
LxmlLxml Version2.1.2
LxmlLxml Version2.1.3
LxmlLxml Version2.1.4
LxmlLxml Version2.2 Update-
LxmlLxml Version2.2 Updatealpha1
LxmlLxml Version2.2 Updatebeta1
LxmlLxml Version2.2 Updatebeta2
LxmlLxml Version2.2 Updatebeta3
LxmlLxml Version2.2 Updatebeta4
LxmlLxml Version2.2.1
LxmlLxml Version2.2.2
LxmlLxml Version2.2.3
LxmlLxml Version2.2.4
LxmlLxml Version2.2.5
LxmlLxml Version2.2.6
LxmlLxml Version2.2.7
LxmlLxml Version2.2.8
LxmlLxml Version2.3 Update-
LxmlLxml Version2.3 Updatealpha1
LxmlLxml Version2.3 Updatealpha2
LxmlLxml Version2.3 Updatebeta1
LxmlLxml Version2.3.1
LxmlLxml Version2.3.2
LxmlLxml Version2.3.3
LxmlLxml Version2.3.4
LxmlLxml Version2.3.5
LxmlLxml Version2.3.6
LxmlLxml Version3.0 Update-
LxmlLxml Version3.0 Updatealpha1
LxmlLxml Version3.0 Updatealpha2
LxmlLxml Version3.0 Updatebeta1
LxmlLxml Version3.0.1
LxmlLxml Version3.0.2
LxmlLxml Version3.1 Updatebeta1
LxmlLxml Version3.1.0
LxmlLxml Version3.1.1
LxmlLxml Version3.1.2
LxmlLxml Version3.2.0
LxmlLxml Version3.2.1
LxmlLxml Version3.2.2
LxmlLxml Version3.2.3
LxmlLxml Version3.2.4
LxmlLxml Version3.2.5
LxmlLxml Version3.3.0 Update-
LxmlLxml Version3.3.0 Updatebeta1
LxmlLxml Version3.3.0 Updatebeta2
LxmlLxml Version3.3.0 Updatebeta3
LxmlLxml Version3.3.0 Updatebeta4
LxmlLxml Version3.3.0 Updatebeta5
LxmlLxml Version3.3.1
LxmlLxml Version3.3.2
LxmlLxml Version3.3.3
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.27% 0.885
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.