Lucene search
K

13 matches found

Github Security Blog
Github Security Blog
added 2025/12/01 7:7 p.m.8 views

Spotipy has a XSS vulnerability in its OAuth callback server

Summary XSS vulnerability in OAuth callback server allows JavaScript injection through unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. Details Vulnerable Code: spotipy/oauth2.py lines 1238-1274 RequestHandler.doGET The...

3.6CVSS6.1AI score0.00138EPSS
Exploits0References4Affected Software1
vulnersOsv
vulnersOsv
added 2025/11/27 12:2 a.m.6 views

deezspot-spotizerr (>=2.2.4 <=3.1.5), deezspot-spotizerr-phoenix (>=0.0.11 <=0.0.14) +36 more potentially affected by CVE-2025-66040 via spotipy (>=2.10.0 <=2.25.1)

spotipy PYPI version =2.10.0, =2.2.4, =0.0.11, =0.0.10, =2.6.0, =0.0.3, =0.0.1, =0.2.0, =0.1.1, =0.1.0, =0.115.0 and more Source cves: CVE-2025-66040 Source advisory: SNYK:PYTHON-SPOTIPY-14135648...

3.6CVSS5.7AI score0.00138EPSS
Exploits0
Vulnrichment
Vulnrichment
added 2025/11/26 11:14 p.m.2 views

CVE-2025-66040 Spotipy has a XSS vulnerability in OAuth callback server

Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting XSS vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's brows...

3.6CVSS5.9AI score0.00138EPSS
Exploits0References2
FreeBSD
FreeBSD
added 2025/11/26 12:0 a.m.6 views

spotipy -- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm reports: Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting XSS vulnerability in the OAuth callback server that allows for JavaScript injection through the...

3.6CVSS6AI score0.00138EPSS
Exploits0References1
EUVD
EUVD
added 2025/10/03 8:7 p.m.19 views

EUVD-2023-0527

Malicious code in bioql PyPI...

4.3CVSS4.7AI score0.00653EPSS
Exploits1References4
Cvelist
Cvelist
added 2025/05/15 8:9 p.m.22 views

CVE-2025-47928 Spotipy repo vulnerable to secrets exfiltration via `pull_request_target`

Spotipy is a Python library for the Spotify Web API. As of commit 4f5759dbfb4506c7b6280572a4db1aabc1ac778d, using pullrequesttarget on .github/workflows/integrationtests.yml followed by the checking out the head.sha of a forked PR can be exploited by attackers, since untrusted code can be execute...

9.1CVSS0.00404EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2025/05/15 8:9 p.m.12 views

CVE-2025-47928 Spotipy repo vulnerable to secrets exfiltration via `pull_request_target`

Spotipy is a Python library for the Spotify Web API. As of commit 4f5759dbfb4506c7b6280572a4db1aabc1ac778d, using pullrequesttarget on .github/workflows/integrationtests.yml followed by the checking out the head.sha of a forked PR can be exploited by attackers, since untrusted code can be execute...

9.1CVSS7.1AI score0.00404EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2025/05/15 8:9 p.m.9 views

CVE-2025-47928

Spotipy is a Python library for the Spotify Web API. As of commit 4f5759dbfb4506c7b6280572a4db1aabc1ac778d, using pullrequesttarget on .github/workflows/integrationtests.yml followed by the checking out the head.sha of a forked PR can be exploited by attackers, since untrusted code can be execute...

9.1CVSS8.3AI score0.00404EPSS
Exploits0
OSV
OSV
added 2025/05/15 8:9 p.m.11 views

CVE-2025-47928 Spotipy repo vulnerable to secrets exfiltration via `pull_request_target`

Spotipy is a Python library for the Spotify Web API. As of commit 4f5759dbfb4506c7b6280572a4db1aabc1ac778d, using pullrequesttarget on .github/workflows/integrationtests.yml followed by the checking out the head.sha of a forked PR can be exploited by attackers, since untrusted code can be execute...

9.1CVSS8.9AI score0.00404EPSS
Exploits0References5
CVE
CVE
added 2025/02/27 1:53 p.m.112 views

CVE-2025-27154

CVE-2025-27154 affects Spotipy’s CacheHandler file permissions. Before version 2.25.1, the cache file is created with 644 permissions by default, exposing the Spotify auth token to other users or processes on the same machine. Version 2.25.1 tightens permissions to 600, reducing token exposure. T...

9.8CVSS6.8AI score0.00589EPSS
Exploits1References4Affected Software1
Vulnrichment
Vulnrichment
added 2023/01/24 2:39 a.m.4 views

CVE-2023-23608 spotipy Path traversal vulnerability that may lead to type confusion in URI handling code

Spotipy is a light weight Python library for the Spotify Web API. In versions prior to 2.22.1, if a malicious URI is passed to the library, the library can be tricked into performing an operation on a different API endpoint than intended. The code Spotipy uses to parse URIs and URLs allows an...

4.7AI score0.00653EPSS
Exploits1References1
vulnersOsv
vulnersOsv
added 2023/01/23 10:5 p.m.3 views

discogrify (>=0.0.10 <=0.0.11), djtools (>=2.6.0 <=2.7.13rc13) +14 more potentially affected by CVE-2023-23608 via spotipy (>=2.10.0 <=2.22.0)

spotipy PYPI version =2.10.0, =0.0.10, =2.6.0, =0.0.1, =0.1.0, =0.0.2.dev4, =1.0.0, =0.0.1, =6.0.0, =0.1.1, =0.1.0, =1.0.0, =1.3.0 and more Source cves: CVE-2023-23608 Source advisory: OSV:GHSA-Q764-G6FM-555V...

4.3CVSS5.8AI score0.00653EPSS
Exploits1
Positive Technologies
Positive Technologies
added 2023/01/23 12:0 a.m.7 views

PT-2023-19070 · Pypi · Spotipy

Name of the Vulnerable Software and Affected Versions: Spotipy versions prior to 2.22.1 Description: The issue arises when a malicious URI is passed to the library, allowing it to be tricked into performing an operation on a different API endpoint than intended. This is possible because the code...

5.4CVSS4.4AI score0.00653EPSS
Exploits1References7
Rows per page
Query Builder