Lucene search
K
PypaMost viewed

5624 matches found

PyPA
PyPA
added 2023/04/20 9:15 p.m.8 views

PYSEC-2023-41

pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export a non-default feature. Users were able to upload crafted HTML documents that trigger the reading of arbitrary files...

6.5CVSS7AI score0.06648EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2023/04/18 4:15 p.m.8 views

PYSEC-2023-34

Weak Password Requirements in GitHub repository modoboa/modoboa prior to 2.1.0...

9.8CVSS6.8AI score0.00619EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2023/04/15 8:16 p.m.8 views

PYSEC-2023-22

An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determine the value of the configured REST API password and then make arbitrary REST API calls. The REST API is bound to localhost by default, limiting the ability for attacke...

6.3CVSS7.1AI score0.00299EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2023/04/07 3:15 p.m.8 views

PYSEC-2023-3

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.This issue affects Apache Airflow Drill Provider: before 2.3.2...

7.5CVSS7AI score0.02062EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2023/04/05 2:15 a.m.8 views

PYSEC-2023-18

In LangChain through 0.0.131, the LLMMathChain chain allows prompt injection attacks that can execute arbitrary code via the Python exec method...

9.8CVSS8.2AI score0.39653EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2023/03/26 7:15 p.m.8 views

PYSEC-2023-46

redis-py through 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time in the case of a non-pipeline operation, and can send response data to the client of an unrelated request. NOTE: this issue exists because of an incomplete fix for CVE-2023-28858...

6.5CVSS7.1AI score0.01034EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2023/03/16 9:15 p.m.8 views

PYSEC-2023-50

Streamlit, software for turning data scripts into web applications, had a cross-site scripting XSS vulnerability in versions 0.63.0 through 0.80.0. Users of hosted Streamlit apps were vulnerable to a reflected XSS vulnerability. An attacker could craft a malicious URL with Javascript payloads to ...

6.1CVSS5.5AI score0.00407EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2023/03/10 2:15 a.m.8 views

PYSEC-2023-318

WebAssembly v1.0.29 was discovered to contain a segmentation fault via the component wabt::Decompiler::WrapChild...

5.5CVSS6AI score0.00278EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2023/03/08 12:15 a.m.8 views

PYSEC-2023-86

OWSLib is a Python package for client programming with Open Geospatial Consortium OGC web service interface standards, and their related content models. OWSLib's XML parser which supports both lxml and xml.etree does not disable entity resolution, and could lead to arbitrary file reads from an...

8.2CVSS7AI score0.00985EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2023/03/06 11:15 p.m.8 views

PYSEC-2023-42

rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1...

7.5CVSS6.9AI score0.00623EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2023/02/15 3:15 p.m.8 views

PYSEC-2023-49

Starlite is an Asynchronous Server Gateway Interface ASGI framework. Prior to version 1.5.2, the request body parsing in starlite allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited number of file parts and ...

7.5CVSS7AI score0.01004EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2023/02/15 1:15 a.m.8 views

PYSEC-2023-13

An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs e.g., an excessive number of parts to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for ...

7.5CVSS7AI score0.62575EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2023/02/10 7:15 p.m.8 views

PYSEC-2023-32

Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4...

9.8CVSS6.8AI score0.15088EPSS
Exploits4References6Affected Software1
PyPA
PyPA
added 2023/02/07 9:15 p.m.8 views

PYSEC-2023-11

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions Cipher.updateinto would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects such as bytes to b...

6.5CVSS8.2AI score0.01301EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2023/02/06 5:15 p.m.8 views

PYSEC-2023-208

A vulnerability was found in paxswill EVE Ship Replacement Program 0.12.11. It has been rated as problematic. This issue affects some unknown processing of the file src/evesrp/views/api.py of the component User Information Handler. The manipulation leads to information disclosure. The attack may ...

4.3CVSS6.8AI score0.00666EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2022/12/23 12:15 a.m.8 views

PYSEC-2022-42991

An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server...

7.5CVSS7.3AI score0.01804EPSS
Exploits1References9Affected Software1
PyPA
PyPA
added 2022/12/14 3:15 p.m.8 views

PYSEC-2022-42989

A vulnerability, which was classified as problematic, has been found in collective.dms.basecontent up to 1.6. This issue affects the function renderCell of the file src/collective/dms/basecontent/browser/column.py. The manipulation leads to cross site scripting. The attack may be initiated...

6.1CVSS6AI score0.00492EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2022/12/12 6:15 p.m.8 views

PYSEC-2022-43002

Improper Privilege Management in GitHub repository ikus060/rdiffweb prior to 2.5.2...

9.8CVSS6.7AI score0.00789EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2022/12/06 8:15 p.m.8 views

PYSEC-2022-42998

A directory traversal vulnerability in the SevenZipFile.extractall function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file...

9.1CVSS7AI score0.02242EPSS
Exploits3References7Affected Software1
PyPA
PyPA
added 2022/12/06 6:15 p.m.8 views

PYSEC-2022-42997

Passeo is an open source python password generator. Versions prior to 1.0.5 rely on the python random library for random value selection. The python random library warns that it should not be used for security purposes due to its reliance on a non-cryptographically secure random number generator...

7.5CVSS6.8AI score0.00791EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2022/11/04 11:0 a.m.8 views

PYSEC-2022-42969

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS Regular expression Denial of Service attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled...

7.5CVSS7AI score0.01546EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2022/11/02 12:15 p.m.8 views

PYSEC-2022-42971

In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's /confirm endpoint...

6.1CVSS6.8AI score0.01494EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2022/10/26 4:15 p.m.8 views

PYSEC-2022-42972

Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it...

7.5CVSS6.9AI score0.01341EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2022/10/11 10:15 p.m.8 views

PYSEC-2022-43032

The d8s-utility package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package. The affected version is 0.1.0...

9.8CVSS7AI score0.01168EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2022/09/22 7:15 p.m.8 views

PYSEC-2022-289

Cross-Site Request Forgery CSRF in GitHub repository ikus060/rdiffweb prior to 2.4.7...

7CVSS6.7AI score0.00375EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/09/22 10:15 a.m.8 views

PYSEC-2022-284

Cross-Site Request Forgery CSRF in GitHub repository ikus060/rdiffweb prior to 2.4.6...

6.8CVSS6.7AI score0.00319EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/09/21 12:15 p.m.8 views

PYSEC-2022-283

Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3...

8.8CVSS6.7AI score0.00437EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/09/21 8:15 a.m.8 views

PYSEC-2022-279

In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction...

7.5CVSS6.7AI score0.01573EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2022/09/19 4:15 p.m.8 views

PYSEC-2022-43106

The d8s-dicts for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. The affected version is 0.1.0...

9.8CVSS7AI score0.01005EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2022/09/19 4:15 p.m.8 views

PYSEC-2022-43123

The d8s-netstrings for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package. The affected version is 0.1.0...

9.8CVSS7AI score0.01238EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2022/09/19 3:15 p.m.8 views

PYSEC-2022-43103

The d8s-uuids for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. The affected version is 0.1.0...

9.8CVSS7AI score0.01033EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/09/15 9:15 a.m.8 views

PYSEC-2022-278

Cross-Site Request Forgery CSRF in GitHub repository ikus060/rdiffweb prior to 2.4.3...

8.8CVSS6.7AI score0.00622EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/09/14 11:15 a.m.8 views

PYSEC-2022-267

OSU Open Source Lab VNCAuthProxy through 1.1.1 is affected by an vncap/vnc/protocol.py VNCServerAuthenticator authentication-bypass vulnerability that could allow a malicious actor to gain unauthorized access to a VNC session or to disconnect a legitimate user from a VNC session. A remote attacke...

9.8CVSS7.2AI score0.01653EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2022/09/13 9:15 p.m.8 views

PYSEC-2022-276

LIEF commit 365a16a was discovered to contain a heap-buffer overflow via the function printbinary at /c/machoreader.c...

7.8CVSS7.6AI score0.00328EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2022/09/13 9:15 p.m.8 views

PYSEC-2022-277

LIEF commit 365a16a was discovered to contain a segmentation violation via the component CoreFile.tcc:69...

5.5CVSS7.3AI score0.00287EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2022/09/13 5:15 p.m.8 views

PYSEC-2022-272

Weak Password Requirements in GitHub repository ikus060/rdiffweb prior to 2.4.2...

8.8CVSS6.8AI score0.00785EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/09/13 10:15 a.m.8 views

PYSEC-2022-273

Missing Custom Error Page in GitHub repository ikus060/rdiffweb prior to 2.4.2...

5.3CVSS6.6AI score0.00684EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/09/09 9:15 p.m.8 views

PYSEC-2022-269

OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of urivalidate functions depending where it is used. OAuthLib...

6.5CVSS6.8AI score0.01258EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2022/09/09 7:15 p.m.8 views

PYSEC-2022-270

indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose...

7.5CVSS6.7AI score0.00924EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2022/09/07 1:15 p.m.8 views

PYSEC-2022-260

Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin...

7.5CVSS7AI score0.01718EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2022/09/06 5:15 p.m.8 views

PYSEC-2022-265

Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the pool-upgrade request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The pool-upgrade request...

8.8CVSS8.1AI score0.01738EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2022/09/02 8:15 p.m.8 views

PYSEC-2022-262

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix specification specifies a list of event authorization rules which must be checked when determining if an event should be accepted into a room. In versions of Synapse up to and including...

7.5CVSS6.8AI score0.00938EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2022/08/29 3:15 p.m.8 views

PYSEC-2022-258

A flaw was found in python-oslo-utils. Due to improper parsing, passwords with a double quote " in them cause incorrect masking in debug logs, causing any part of the password after the double quote to be plaintext...

4.9CVSS6.7AI score0.01335EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2022/08/24 4:15 p.m.8 views

PYSEC-2022-253

A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansiblerunner.interface.runcommand, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual...

7.8CVSS8.2AI score0.0031EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2022/08/18 7:15 p.m.8 views

PYSEC-2022-249

The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting XSS vulnerabilities if the...

7.5CVSS8.2AI score0.01102EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2022/08/03 2:15 p.m.8 views

PYSEC-2022-245

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download RFD attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input...

8.8CVSS6.9AI score0.00654EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2022/07/28 11:15 p.m.8 views

PYSEC-2022-43174

WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted dbs-client package...

9.8CVSS7.8AI score0.01011EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2022/07/26 6:15 a.m.8 views

PYSEC-2022-244

untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts XML external entity references. By exploiting this vulnerability, a remote unauthenticated attacker may read the contents of local files...

7.5CVSS6.8AI score0.01336EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2022/07/25 2:15 p.m.8 views

PYSEC-2022-43182

Withdrawn as duplicate of PYSEC-2022-239. The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim...

8CVSS6.9AI score0.00698EPSS
Exploits1References2
PyPA
PyPA
added 2022/07/22 3:15 p.m.8 views

PYSEC-2022-43166

The scu-captcha package in PyPI v0.0.1 to v0.0.4 included a code execution backdoor inserted by a third party...

9.8CVSS7.6AI score0.01254EPSS
Exploits1References4Affected Software1
Total number of security vulnerabilities5000