2 matches found
Tornado has incomplete validation of cookie attributes
Values passed to the domain, path, and samesite arguments of RequestHandler.setcookie were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes...
PT-2024-18156
Name of the Vulnerable Software and Affected Versions mlflow/mlflow affected versions not specified Description A path traversal issue exists due to improper handling of URL parameters. Attackers can manipulate the 'params' portion of the URL by smuggling path traversal sequences using the ';'...