CVE-2014-3146: XSS

Q: What is the severity of CVE-2014-3146?

CVE-2014-3146 is considered a moderate severity vulnerability as it allows for cross-site scripting (XSS) attacks.

Q: How do I fix CVE-2014-3146?

To fix CVE-2014-3146, upgrade lxml to version 3.3.5 or higher.

Q: What specific feature in lxml is affected by CVE-2014-3146?

CVE-2014-3146 affects the `lxml.html.clean` module, which has an incomplete blacklist.

Q: Which software versions are impacted by CVE-2014-3146?

Versions of lxml prior to 3.3.5, including all releases up to 3.3.4, are impacted by CVE-2014-3146.

Q: Can CVE-2014-3146 lead to data theft?

Yes, CVE-2014-3146 can allow attackers to execute arbitrary scripts in the user's browser, potentially leading to data theft.

Published May 14, 2014

Updated

Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the cleanhtml function.

Other sources

lxml could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the cleanhtml() function. By sending a specially-crafted request, an attacker could exploit this vulnerability and perform unauthorized actions.

— IBM

Affected Software

97 affected componentsFixes available

pip/lxml<3.3.5

3.3.5

lxml lxml<=3.3.4

lxml lxml=0.5

lxml lxml=0.5.1

lxml lxml=0.6

lxml lxml=0.7

lxml lxml=0.8

lxml lxml=0.9

lxml lxml=0.9.1

lxml lxml=0.9.2

lxml lxml=1.0

lxml lxml=1.0.1

lxml lxml=1.0.2

lxml lxml=1.0.3

lxml lxml=1.0.4

lxml lxml=1.1

lxml lxml=1.1.1

lxml lxml=1.1.2

lxml lxml=1.2

lxml lxml=1.2.1

lxml lxml=1.3

lxml lxml=1.3.1

lxml lxml=1.3.2

lxml lxml=1.3.3

lxml lxml=1.3.4

lxml lxml=1.3.5

lxml lxml=1.3.6

lxml lxml=2.0

lxml lxml=2.0.1

lxml lxml=2.0.2

lxml lxml=2.0.3

lxml lxml=2.0.4

lxml lxml=2.0.5

lxml lxml=2.0.6

lxml lxml=2.0.7

lxml lxml=2.0.8

lxml lxml=2.0.9

lxml lxml=2.0.10

lxml lxml=2.0.11

lxml lxml=2.1-alpha1

lxml lxml=2.1-beta1

lxml lxml=2.1-beta2

lxml lxml=2.1-beta3

lxml lxml=2.1.1

lxml lxml=2.1.2

lxml lxml=2.1.3

lxml lxml=2.1.4

lxml lxml=2.2

lxml lxml=2.2-alpha1

lxml lxml=2.2-beta1

lxml lxml=2.2-beta2

lxml lxml=2.2-beta3

lxml lxml=2.2-beta4

lxml lxml=2.2.1

lxml lxml=2.2.2

lxml lxml=2.2.3

lxml lxml=2.2.4

lxml lxml=2.2.5

lxml lxml=2.2.6

lxml lxml=2.2.7

lxml lxml=2.2.8

lxml lxml=2.3

lxml lxml=2.3-alpha1

lxml lxml=2.3-alpha2

lxml lxml=2.3-beta1

lxml lxml=2.3.1

lxml lxml=2.3.2

lxml lxml=2.3.3

lxml lxml=2.3.4

lxml lxml=2.3.5

lxml lxml=2.3.6

lxml lxml=3.0

lxml lxml=3.0-alpha1

lxml lxml=3.0-alpha2

lxml lxml=3.0-beta1

lxml lxml=3.0.1

lxml lxml=3.0.2

lxml lxml=3.1-beta1

lxml lxml=3.1.0

lxml lxml=3.1.1

lxml lxml=3.1.2

lxml lxml=3.2.0

lxml lxml=3.2.1

lxml lxml=3.2.2

lxml lxml=3.2.3

lxml lxml=3.2.4

lxml lxml=3.2.5

lxml lxml=3.3.0

lxml lxml=3.3.0-beta1

lxml lxml=3.3.0-beta2

lxml lxml=3.3.0-beta3

lxml lxml=3.3.0-beta4

lxml lxml=3.3.0-beta5

lxml lxml=3.3.1

lxml lxml=3.3.2

lxml lxml=3.3.3

IBM QRadar SIEM<=7.5 - 7.5.0 UP8 IF01

Event History

May 14, 2014

CVE Published

via MITRE·07:00 PM

Data Sourced

via MITRE·07:00 PM

Description

Data Sourced

via NVD·07:55 PM

DescriptionSeverityWeaknessAffected Software

May 14, 2022

Advisory Published

via GitHub·04:01 AM

Parent advisories

This vulnerability appears in the following advisories.

IBM-7150684

Frequently Asked Questions

What is the severity of CVE-2014-3146?

CVE-2014-3146 is considered a moderate severity vulnerability as it allows for cross-site scripting (XSS) attacks.

How do I fix CVE-2014-3146?

To fix CVE-2014-3146, upgrade lxml to version 3.3.5 or higher.

What specific feature in lxml is affected by CVE-2014-3146?