45 matches found
EUVD-2024-1267
Malicious code in bioql PyPI...
EUVD-2023-0197
Malicious code in bioql PyPI...
EUVD-2023-0196
Malicious code in bioql PyPI...
CVE-2023-41885
Piccolo is an ORM and query builder which supports asyncio. In versions 0.120.0 and prior, the implementation of BaseUser.login leaks enough information to a malicious user such that they would be able to successfully generate a list of valid users on the platform. As Piccolo on its own does not...
CVE-2023-47128
Piccolo is an object-relational mapping and query builder which supports asyncio. Prior to version 1.1.1, the handling of named transaction savepoints in all database implementations is vulnerable to SQL Injection via f-strings. While the likelihood of an end developer exposing a savepoints name...
CVE-2024-30248
Piccolo Admin is an admin interface/content management system for Python, built on top of Piccolo. Piccolo's admin panel allows media files to be uploaded. As a default, SVG is an allowed file type for upload. An attacker can upload an SVG which when loaded can allow arbitrary access to the admin...
CVE-2024-30248
Piccolo Admin is an admin interface/content management system for Python, built on top of Piccolo. Piccolo's admin panel allows media files to be uploaded. As a default, SVG is an allowed file type for upload. An attacker can upload an SVG which when loaded can allow arbitrary access to the admin...
CVE-2024-30248 Piccolo Admin's raw SVG loading may lead to complete data compromise from admin page
Piccolo Admin is an admin interface/content management system for Python, built on top of Piccolo. Piccolo's admin panel allows media files to be uploaded. As a default, SVG is an allowed file type for upload. An attacker can upload an SVG which when loaded can allow arbitrary access to the admin...
CVE-2024-30248
CVE-2024-30248 affects Piccolo Admin, the Python-based admin interface for Piccolo. The vulnerability arises from SVG uploads being allowed by default, allowing an attacker to load a malicious SVG that can grant arbitrary access to the admin page. The root cause is insufficient validation/handlin...
CVE-2024-30248 Piccolo Admin's raw SVG loading may lead to complete data compromise from admin page
Piccolo Admin is an admin interface/content management system for Python, built on top of Piccolo. Piccolo's admin panel allows media files to be uploaded. As a default, SVG is an allowed file type for upload. An attacker can upload an SVG which when loaded can allow arbitrary access to the admin...
CVE-2024-30248 Piccolo Admin's raw SVG loading may lead to complete data compromise from admin page
Piccolo Admin is an admin interface/content management system for Python, built on top of Piccolo. Piccolo's admin panel allows media files to be uploaded. As a default, SVG is an allowed file type for upload. An attacker can upload an SVG which when loaded can allow arbitrary access to the admin...
Piccolo 安全漏洞
Piccolo is a fast, user-friendly ORM and query builder from Piccolo Open Source. A security vulnerability exists in Piccolo Admin prior to version 1.3.2, which stems from the fact that Piccolo's admin panel allows uploading of media files, which can be exploited by an attacker to upload an SVG...
GHSA-PMWW-V6C9-7P83 Piccolo Admin's raw SVG loading may lead to complete data compromise from admin page
Summary Piccolo's admin panel provides the ability to upload media files and view them within the admin panel. If SVG is an allowed file type for upload; the default; an attacker can upload an SVG which when loaded under certain contexts allows for arbitrary access to the admin page. This access...
Piccolo Admin's raw SVG loading may lead to complete data compromise from admin page
Summary Piccolo's admin panel provides the ability to upload media files and view them within the admin panel. If SVG is an allowed file type for upload; the default; an attacker can upload an SVG which when loaded under certain contexts allows for arbitrary access to the admin page. This access...
PT-2024-23295 · Unknown · Piccolo Admin
Name of the Vulnerable Software and Affected Versions: Piccolo Admin versions prior to 1.3.2 Description: The issue concerns the Piccolo Admin interface, which allows media file uploads, including SVG files by default. An attacker can upload a malicious SVG file, which, when loaded, can provide...
CVE-2024-30248
creationtimestamp| type| source ---|---|--- 2024-03-30 13:58:13+00:00| published-proof-of-concept| https://github.com/piccolo-orm/piccoloadmin/security/advisories/GHSA-pmww-v6c9-7p83...
SQL Injection
Piccolo is vulnerable to SQL Injection. The vulnerability is caused by a lack of user input validation while executing SQL statements. The input passed to connection.execute is not properly escaped. An attacker can exploit this vulnerability to obtain direct access to the database and has the...
casper7-plugin-meatball-day (>=0.1.0 <=0.4.2), gator-eda (=0.1.0) +6 more potentially affected by CVE-2023-47128 via piccolo (>=0.103.0 <=0.96.0)
piccolo PYPI version =0.103.0, =0.1.0, =0.3.1, =0.2.0, =0.3.8, =0.0.22, =0.1.0, =1.0.0, =1.5.1 Source cves: CVE-2023-47128 Source advisory: OSV:GHSA-XQ59-7JF3-RJC6...
piccolo SQL Injection via named transaction savepoints
Summary The handling of named transaction savepoints in all database implementations is vulnerable to SQL Injection as user provided input is passed directly to connection.execute... via f-strings. Details An excerpt of the Postgres savepoint handling: python async def savepointself, name:...
CVE-2023-47128
Piccolo is an object-relational mapping and query builder which supports asyncio. Prior to version 1.1.1, the handling of named transaction savepoints in all database implementations is vulnerable to SQL Injection via f-strings. While the likelihood of an end developer exposing a savepoints name...