Elementor Website Builder SQL Injection

EXPLOIT Elementor Website Builder Replace URL page. On the Replace URL page, enter any random string as the "New URL" and the following malicious payload as the "Old URL": code : http://localhost:8080/?test',metakey='key4'where+metaid=SLEEP2; Press "Replace URL" on the Replace URL page. Burp Suit...

Code injection

IBM AIX's 7.3 Python implementation could allow a non-privileged local user to exploit a vulnerability to cause a denial of service. IBM X-Force ID: 267965...

Remote Code Execution (RCE)

transmute-core is vulnerable to Remote Code Execution RCE. The vulnerability is due to unsafe YAML deserialization which allows a remote attacker to execute arbitrary Python code by deserializing arbitrary YAML...

transmute-core unsafe YAML deserialization vulnerability

Unsafe YAML deserialization in yaml.Loader in transmute-core before 1.13.5 allows attackers to execute arbitrary Python code...

GHSA-W9CP-3X79-2P8P transmute-core unsafe YAML deserialization vulnerability

Unsafe YAML deserialization in yaml.Loader in transmute-core before 1.13.5 allows attackers to execute arbitrary Python code...

CVE-2023-47204

Unsafe YAML deserialization in yaml.Loader in transmute-core before 1.13.5 allows attackers to execute arbitrary Python code...

CVE-2023-47204

Unsafe YAML deserialization in yaml.Loader in transmute-core before 1.13.5 allows attackers to execute arbitrary Python code...

PYSEC-2023-223

Unsafe YAML deserialization in yaml.Loader in transmute-core before 1.13.5 allows attackers to execute arbitrary Python code...

CVE-2023-47204

Unsafe YAML deserialization in yaml.Loader in transmute-core before 1.13.5 allows attackers to execute arbitrary Python code...

transmute-core security vulnerability

transmute-core is a library for building API generators for Python webframeworks. A security vulnerability exists in versions of transmute-core prior to 1.13.5, which stems from the presence of insecure YAML deserialization and allows attackers to execute arbitrary Python code...

CVE-2023-47204

Unsafe YAML deserialization in yaml.Loader in transmute-core before 1.13.5 allows attackers to execute arbitrary Python code...

Oracle Linux 7 : python-reportlab (ELSA-2023-5616)

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2023-5616 advisory. 2.5-11 - Do not evaluate unichar element - Resolves: RHEL-7011 Tenable has extracted the preceding description block directly from the Oracle Linux security...

GHSA-GJJR-63X4-V8CQ langchain_experimental vulnerable to arbitrary code execution via PALChain in the python exec method

langchainexperimental aka LangChain Experimental in LangChain before 0.0.306 allows an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via import in Python code, which is not prohibited by palchain/base.py...

Presto JDBC Server-Side Request Forgery by nextUri

Summary Presto JDBC is vulnerable to Server-Side Request Forgery SSRF when connecting a remote Presto server. An attacker can modify the nextUri parameter to internal server in response content that Presto JDBC client will request next and view sensitive information from highly sensitive internal...

GHSA-PJ98-2XF6-CFF5 ReportLab vulnerable to remote code execution via paraparser

paraparser in ReportLab before 3.5.31 allows remote code execution because startunichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with 'unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626...

Remote code execution

paraparser in ReportLab before 3.5.31 allows remote code execution because startunichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with 'unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626...

Remote Code Execution

ethyca-fides is vulnerable to Arbitrary Code Execution. The vulnerability is due to certain API clients who have a special level of permission called "CONNECTORTEMPLATEREGISTER." In the Fides Admin interface one can upload a zip file with arbitrary python code and can execute it. Exploitation is...

GHSA-P6P2-QQ95-VQ5H Remote Code Execution in Custom Integration Upload

Impact The Fides webserver API allows custom integrations to be uploaded as a ZIP file. This ZIP file must contain YAML files, but Fides can be configured to also accept the inclusion of custom Python code in it. The custom code is executed in a restricted, sandboxed environment, but the sandbox...

CVE-2023-41050 Information disclosure through Python's "format" functionality in Zope AccessControl

AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling the format string to "read" objects accessible recursively via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use...

CVE-2023-41319 Remote Code Execution in Custom Integration Upload in Fides

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows custom integrations to be uploaded as a ZIP file. This ZIP file must contain YAML...