146 matches found
Whoogle Search Cross-site Scripting vulnerability
Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the element method in app/routes.py does not validate the user-controlled srctype and elementurl variables and passes them to the send method which sends a GET request on lines 339-343 in requests.py. The returned...
CVE-2023-50265 Bazarr Arbitrary file read in /api/swaggerui/static endpoint
Bazarr manages and downloads subtitles. Prior to 1.3.1, the /api/swaggerui/static endpoint in bazarr/app/ui.py does not validate the user-controlled filename variable and uses it in the sendfile function, which leads to an arbitrary file read on the system. This issue is fixed in version 1.3.1...
CVE-2023-50265 Bazarr Arbitrary file read in /api/swaggerui/static endpoint
Bazarr manages and downloads subtitles. Prior to 1.3.1, the /api/swaggerui/static endpoint in bazarr/app/ui.py does not validate the user-controlled filename variable and uses it in the sendfile function, which leads to an arbitrary file read on the system. This issue is fixed in version 1.3.1...
Ganga allows absolute path traversal
The ganga-devs/ganga repository before 8.5.10 on GitHub allows absolute path traversal because the Flask sendfile function is used unsafely...
Path Traversal
chainerrlvisualizer is vulnerable to path traversal. The vulnerability exists due to a lack of sanitization of the Flask sendfile function allowing an attacker to traverse through the directory via the image path...
CarceresBE path traversal vulnerability
CarceresBE is an SKS parking management system backend open sourced by Delor4. CarceresBE 1.0 and earlier versions have a path traversal vulnerability that stems from a failure of Flask's sendfile function to properly filter special elements in a resource or file path, which could be exploited by...
Barry-Voice-Assistant path traversal vulnerability
Barry-Voice-Assistant is a voice assistant from the Bulgarian personal developer Lyuboslav Karev. Barry-Voice-Assistant 2021-01-18 and earlier versions have a path traversal vulnerability, which stems from the failure of Flask's sendfile function to properly filter special elements in resource or...
Annotation Tool path traversal vulnerability
Annotation Tool is a Bonn activity map annotation tool open sourced by bonn-activity-maps. 2021-08-31 and earlier versions of Annotation Tool are vulnerable to a path traversal vulnerability that stems from a failure of Flask's sendfile function to properly filter special elements in a resource o...
flask-mongo-skel path traversal vulnerability
flask-mongo-skel is a Flask MongoDB framework from Shamail Tayyab's personal developer. flask-mongo-skel 2012-11-01 and earlier versions contain a path traversal vulnerability that stems from a failure of Flask's sendfile function to properly filter resource or file paths for The vulnerability is...
AutomatedQuizEval path traversal vulnerability
AutomatedQuizEval, an automated quiz evaluation system from the personal developer Sravani Boinepelli, suffers from a path traversal vulnerability that stems from the failure of Flask's sendfile function to properly filter special elements in resource or file paths, which could be exploited by...
CVE-2022-31581
The scorelab/OpenMF repository before 2022-05-03 on GitHub allows absolute path traversal because the Flask sendfile function is used unsafely...
CVE-2022-31586
The unizar-30226-2019-06/ChangePop-Back repository through 2019-06-04 on GitHub allows absolute path traversal because the Flask sendfile function is used unsafely...
CVE-2022-31587
The yuriyouzhou/KG-fashion-chatbot repository through 2018-05-22 on GitHub allows absolute path traversal because the Flask sendfile function is used unsafely...
CVE-2022-31588
The zippies/testplatform repository through 2016-07-19 on GitHub allows absolute path traversal because the Flask sendfile function is used unsafely...
CVE-2022-31551
The pleomax00/flask-mongo-skel repository through 2012-11-01 on GitHub allows absolute path traversal because the Flask sendfile function is used unsafely...
CVE-2022-31558
The tooxie/shiva-server repository through 0.10.0 on GitHub allows absolute path traversal because the Flask sendfile function is used unsafely...
CVE-2022-31553
The rainsoupah/sleep-learner repository through 2021-02-21 on GitHub allows absolute path traversal because the Flask sendfile function is used unsafely...
CVE-2022-31563
The whmacmac/vprj repository through 2022-04-06 on GitHub allows absolute path traversal because the Flask sendfile function is used unsafely...
CVE-2022-31562
The waveyan/internshipsystem repository through 2018-05-22 on GitHub allows absolute path traversal because the Flask sendfile function is used unsafely...
CVE-2022-31564
The woduq1414/munhak-moa repository before 2022-05-03 on GitHub allows absolute path traversal because the Flask sendfile function is used unsafely...